sqc 0.4.13 - Docs.rs

SQLite format 3@  1f*1.v�
�'
J
�
!��
�
l���b�`�X�tabletaskstasks?CREATE TABLE "tasks" (
            id           INTEGER PRIMARY KEY AUTOINCREMENT,
            title        TEXT NOT NULL,
            details      TEXT,
            status       TEXT NOT NULL CHECK(status IN ('pending','partial','in-progress','done')),
            priority     INTEGER NOT NULL DEFAULT 3 CHECK(priority BETWEEN 1 AND 5),
            created_at   TEXT NOT NULL,
            started_at   TEXT,
            completed_at TEXT
        )Z3{indexidx_deps_depends_ondepsCREATE INDEX idx_deps_depends_on ON deps(depends_on_id)B
%Yindexidx_tags_tagtagsCREATE INDEX idx_tags_tag ON tags(tag)x
?�'indexidx_tasks_status_prioritytasksCREATE INDEX idx_tasks_status_priority ON tasks(status, priority, created_at)^�tablemetametaCREATE TABLE meta (
    key   TEXT PRIMARY KEY,
    value TEXT NOT NULL
)';indexsqlite_autoindex_meta_1meta	��tabledepsdepsCREATE TABLE deps (
    task_id       INTEGER NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
    depends_on_id INTEGER NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
    PRIMARY KEY (task_id, depends_on_id),
    CHECK (task_id <> depends_on_id)
)';indexsqlite_autoindex_deps_1deps�)�5tabletagstagsCREATE TABLE tags (
    task_id INTEGER NOT NULL REFERENCES tasks(id) ON DELETE CASCADE,
    tag     TEXT NOT NULL,
    PRIMARY KEY (task_id, tag)
)';indexsqlite_autoindex_tags_1tagsyP++Ytablesqlite_sequencesqlite_sequenceCREATE TABLE sqlite_sequence(name,seq)��gtabletaskstasksCREATE TABLE tasks (
    id           INTEGER PRIMARY KEY AUTOINCREMENT,
    title        TEXT NOT NULL,
    details      TEXT,
    status       TEXT NOT NULL CHECK(status IN ('pending','in-progress','done')),
    priority     INTEGER NOT NULL DEFAULT 3 CHECK(priority BETWEEN 1 AND 5),
    created_at   TEXT NOT NULL,
    started_at   TEXT,
    completed_at TEXT
)�
��aA!����_>
�
�
�
�
~
^
>
����~^>����~^>
�
�
�
�
~
^
>
	�	�	�	�	~	^	>	����~^>����~^>����~^>����~^>����~^>����~^>����~^>����~^>� 5done2026-05-07T18:45:37Z�5done2026-04-30T15:42:09Z~5done2026-04-30T15:42:09Z}5done2026-04-30T15:42:09Z|5done2026-04-30T15:42:09Z{5done2026-04-30T15:42:09Zz5done2026-04-30T15:42:09Zy5done2026-04-30T15:41:49Zx5done2026-04-30T15:41:49Zw5done2026-04-30T11:20:20Zr5done2026-04-28T18:59:56Zq5done2026-04-23T17:44:45Zp5done2026-04-22T19:22:42Zn5done2026-04-22T19:22:38Zm5done2026-04-20T17:24:37Zl5done2026-04-20T16:58:09Zk5done2026-04-20T16:58:09Zj5done2026-04-20T16:58:09Zi5done2026-04-20T16:58:09Zh5done2026-04-20T16:58:09Zg5done2026-04-20T16:58:09Zf5done2026-04-20T16:58:09Ze5done2026-04-20T16:58:09Zd5done2026-04-20T16:58:09Zc5done2026-04-20T16:58:09Zb5done2026-04-20T16:58:09Za5done2026-04-20T16:58:09Z`5done2026-04-20T16:58:09Z_5done2026-04-20T16:58:09Z^5done2026-04-20T16:58:09Z]5done2026-04-20T16:58:09Z\5done2026-04-20T16:58:09Z[5done2026-04-20T16:58:08ZZ5done2026-04-20T16:58:08ZY5done2026-04-20T16:58:08ZX5done2026-04-20T16:58:08ZW5done2026-04-20T16:58:08ZV5done2026-04-20T16:58:08ZU5done2026-04-20T16:58:08ZT5done2026-04-20T16:58:08ZS5done2026-04-20T16:58:08ZR5done2026-04-20T16:58:08ZQ5done2026-04-20T16:58:08ZP5done2026-04-20T16:58:08ZO5done2026-04-20T16:58:08ZN5done2026-04-20T16:58:08ZM5done2026-04-20T16:58:08ZL5done2026-04-20T16:58:08ZK5done2026-04-20T16:58:08ZJ5done2026-04-20T16:58:08ZI5done2026-04-20T16:58:08ZH5done2026-04-20T16:58:08ZG5done2026-04-20T16:58:08ZF5done2026-04-20T16:58:08ZE5done2026-04-20T16:58:08ZD5done2026-04-20T16:58:08ZC5done2026-04-20T16:58:08ZB5done2026-04-20T16:58:08ZA5done2026-04-20T16:58:08Z@5done2026-04-20T16:58:08Z?5done2026-04-20T16:58:08Z>5done2026-04-20T16:58:08Z=5done2026-04-20T16:58:08Z<5done2026-04-20T16:58:08Z;5done2026-04-20T16:58:08Z:5done2026-04-20T16:58:08Z95done2026-04-20T16:58:08Z85done2026-04-20T16:58:08Z75done2026-04-20T16:58:08Z65done2026-04-20T16:58:08Z55done2026-04-20T16:58:08Z45done2026-04-20T16:58:08Z35done2026-04-20T16:58:08Z25done2026-04-20T16:58:08Z15done2026-04-20T16:58:08Z05done2026-04-20T16:58:08Z/5done2026-04-20T16:58:08Z.5done2026-04-20T16:58:08Z-5done2026-04-20T16:58:08Z,5done2026-04-20T16:58:08Z+5done2026-04-20T16:58:08Z*5done2026-04-20T16:58:08Z)5done2026-04-20T16:58:08Z(5done2026-04-20T16:58:08Z'5done2026-04-20T16:58:08Z&5done2026-04-20T16:58:08Z%5done2026-04-20T16:58:08Z$5done2026-04-20T16:58:08Z#5done2026-04-20T16:58:08Z"5done2026-04-20T16:58:08Z!5done2026-04-20T16:58:08Z 5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z 5done2026-05-07T18:45:33Z� 5done2026-05-07T18:45:32Z� 5done2026-05-07T18:45:24Z�5done2026-04-30T15:41:49Zu5done2026-04-30T15:41:33Zt5done2026-04-30T15:41:33Zs5done2026-04-23T13:56:29Zo5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z
5done2026-04-20T16:4
5done2026-04-20T16:58:08ZH
���tasks_new�
tasks��*������zjZJ:*
��������zj]PE8- 
�
�
�
�
�
�
�
�
�
�
�
v
i
^
S
F
9
.
!

	�����������xmbUH=0#�����������wj]RE8- 
�
�
�
�
�
�
�
�
�
�

t
g
Z
O
B
7
*


	�	�	�	�	�	�	�	�	�	�	z	l	^	P	B	6	(			���������zn`RF8*���������xj\N@2$
����������tfXJ<."����������rfXJ<0"����������vh\N@4&
����������tfVH:,��������~n`RD4&�
Zchanged
�	Zbenchmark�Zv0.3.82�Zrelease�Ychanged
�Ybenchmark�Yv0.3.81�Yrelease�Xchanged
�Xbenchmark�Xv0.3.80�Xrelease�~Wchanged
�}Wbenchmark�|Wv0.3.79�{Wrelease�zVchanged
�yVbenchmark�xVv0.3.78�wVrelease�vUchanged
�uUbenchmark�tUv0.3.77�sUrelease�rTchanged
�qTbenchmark�pTv0.3.76�oTrelease	�nSadded�mSv0.3.75�lSrelease�kRresults	�jRfixed	�iRadded�hRv0.3.74�gRrelease�fQresults	�eQfixed�dQv0.3.67�cQrelease	�bPadded�aPv0.3.66�`Prelease	�_Ofixed�^Ov0.3.65�]Orelease	�\Nadded�[Nv0.3.64�ZNrelease	�YMfixed	�XMadded�WMv0.3.63�VMrelease	�ULfixed�TLv0.3.62�SLrelease	�RKadded�QKv0.3.61�PKrelease�OJresults	�NJadded�MJv0.3.60�LJrelease�KIresults	�JIadded�IIv0.3.59�HIrelease�GHresults	�FHadded�EHv0.3.58�DHrelease	�CGfixed�BGv0.3.57�AGrelease	�@Fadded�?Fv0.3.56�>Frelease�=Eresults�<Echanged�;Ev0.3.52�:Erelease	�9Dadded�8Dv0.3.51�7Drelease�6Cchanged�5Cv0.3.50�4Crelease�3Bchanged�2Bv0.3.49�1Brelease	�0Afixed�/Achanged	�.Aadded�-Av0.3.48�,Arelease�+@results�*@changed�)@v0.3.47�(@release�'?results�&?changed�%?v0.3.46�$?release�#>results�">changed�!>v0.3.44� >release	�=added�=v0.3.43�=release	�<fixed�<changed�<v0.3.42�<release	�;fixed�;v0.3.39�;release	�:fixed�:changed�:v0.3.38�:release	�9fixed�9v0.3.37�9release	�8added�
8v0.3.36�8release	�7fixed�
7changed	�	7added�7v0.3.35�7release	�6fixed�6v0.3.34�6release�5removed�5changed�5v0.3.33�5release	4fixed~4v0.3.32}4release	|3fixed{3v0.3.31z3release	y2fixedx2v0.3.30w2releasev1changed	u1addedt1v0.3.28s1release	r0fixedq0changed	p0addedo0v0.3.27n0release	m/fixedl/v0.3.26k/release	j.fixed	i.addedh.v0.3.25g.releasef-changed	e-addedd-v0.3.24c-releaseb,changed	a,added`,v0.3.23_,release	^+fixed]+v0.3.22\+release	[*addedZ*v0.3.21Y*releaseX)changedW)v0.3.20V)release	U(fixedT(v0.3.19S(release	R'fixed	Q'addedP'v0.3.18O'release	N&addedM&v0.3.17L&release	K%addedJ%v0.3.15I%release	H$fixedG$v0.3.14F$release	E#fixed	D#addedC#v0.3.13B#release	A"fixed	@"added
?"v0.3.8>"release	=!added
<!v0.3.5;!release	: fixed
9 v0.3.38 release	7fixed6v0.2.255release	4fixed3v0.2.222release	1fixed	0added/v0.2.21.release	-fixed	,added+v0.2.20*release	)fixed(v0.2.17'release	&added%v0.2.16$release	#fixed	"added!v0.2.15 release	fixedchanged	addedv0.2.13release!plan-id:71!plan-id:70!plan-id:69!plan-id:68!plan-id:67!plan-id:66!plan-id:65!plan-id:64!plan-id:63!plan-id:62!
plan-id:61!plan-id:60!plan-id:59
!
plan-id:53!	plan-id:51!plan-id:49
!plan-id:47	!plan-id:37!plan-id:27!plan-id:20deferred!plan-id:10deferred
plan-id:9	deferred	pla)�
�(������raP?.��������sbQ)C5
�
�
�
�
�
�
�
�
�
c
W
}
o
/
#
I
;�

���������^Rwj*D6�������~r��JdV <.
�
�
�
�
�
�
�
�
r
d
�
~
<
0
V
H

"
	�	�	�	�	�	�	�	�	�	h	�	t	@	Z	L		2	$�		������wj��?[L0!�������u��JfW;,��������k\O�x"@1��������cp8TE
)���������_{l4PA	�%������{��PlA]	2�#�������bS�s$D5Wrelease�Vchanged�Vbenchmark�Vv0.3.78�Vrelease�Uchanged�Ubenchmark�Uv0.3.77�Urelease�Tchanged�Tbenchmark�Tv0.3.76�Trelease�Sadded�Sv0.3.75�Srelease�Rresults�Rfixed�Radded�Rv0.3.74�Rrelease�Qresults�Qfixed�Qv0.3.67�Qrelease�Padded�Pv0.3.66�Prelease�Ofixed�Ov0.3.65�Orelease�Nadded�Nv0.3.64�Nrelease�Mfixed�Madded�Mv0.3.63�Mrelease�Lfixed�Lv0.3.62�Lrelease�Kadded�Kv0.3.61�Krelease�Jresults�Jadded�Jv0.3.60�Jrelease�Iresults�Iadded�Iv0.3.59�Irelease�Hresults�Hadded�Hv0.3.58�Hrelease�Gfixed�Gv0.3.57�Grelease�Fadded�Fv0.3.56�Frelease�Eresults�Echanged�Ev0.3.52�Erelease�Dadded�Dv0.3.51�Drelease�Cchanged�Cv0.3.50�Crelease�Bchanged�Bv0.3.49�Brelease�Afixed�Achanged�Aadded�Av0.3.48�Arelease�@results�@changed�@v0.3.47�@release�?results�?changed�?v0.3.46�?release�>results�>changed�>v0.3.44�>release�=added�=v0.3.43�=release�<fixed�<changed�<v0.3.42�<release�;fixed�;v0.3.39�;release�:fixed�:changed�:v0.3.38�:release�9fixed�9v0.3.37�9release�8added�8v0.3.36�8release�7fixed�7changed�7added�7v0.3.35�7release�6fixed�6v0.3.34�6release�5removed�5changed�5v0.3.33�5release�4fixed
4v0.3.32~
4release}3fixed|
3v0.3.31{
3releasez2fixedy
2v0.3.30x
2releasew
1changedv1addedu
1v0.3.28t
1releases0fixedr
0changedq0addedp
0v0.3.27o
0releasen/fixedm
/v0.3.26l
/releasek.fixedj.addedi
.v0.3.25h
.releaseg
-changedf-addede
-v0.3.24d
-releasec
,changedb,addeda
,v0.3.23`
,release_+fixed^
+v0.3.22]
+release\*added[
*v0.3.21Z
*releaseY
)changedX
)v0.3.20W
)releaseV(fixedU
(v0.3.19T
(releaseS'fixedR'addedQ
'v0.3.18P
'releaseO&addedN
&v0.3.17M
&releaseL%addedK
%v0.3.15J
%releaseI$fixedH
$v0.3.14G
$releaseF#fixedE#addedD
#v0.3.13C
#releaseB"fixedA"added@"v0.3.8?
"release>!added=!v0.3.5<
!release; fixed: v0.3.39
 release8fixed7
v0.2.256
release5fixed4
v0.2.223
release2fixed1added0
v0.2.21/
release.fixed-added,
v0.2.20+
release*fixed)
v0.2.17(
release'added&
v0.2.16%
release$fixed#added"
v0.2.15!
release fixed
changedadded
v0.2.13
release!plan-id:71!plan-id:70!plan-id:69!plan-id:68!plan-id:67!plan-id:66!plan-id:65!plan-id:64!plan-id:63!plan-id:62!
plan-id:61!plan-id:60!plan-id:59!
plan-id:53
!	plan-id:51!plan-id:49!plan-id:47
!plan-id:37	!plan-id:27!plan-id:20deferred!plan-id:10deferredplan-id:9
	defe'Frelease�
��������

	
��������

		
��)schema_version2
��)	schema_version
I����>���aA!����_>
�
�
�
�
~
^
>
����~^>����~^>
�
�
�
�
~
^
>
	�	�	�	�	~	^	>	����~^>����~^��~^>����~^>����~^>����~^>����~^>����~^>� 5done2026-05-07T18:45:37Z�5done2026-04-30T15:42:09Z~5done2026-04-30T15:42:09Z}5done2026-04-30T15:42:09Z|5done2026-04-30T15:42:09Z{5done2026-04-30T15:42:09Zz5done2026-04-30T15:42:09Zy5done2026-04-30T15:41:49Zx5done2026-04-30T15:41:49Zw5done2026-04-30T11:20:20Zr5done2026-04-28T18:59:56Zq5done2026-04-23T17:44:45Zp5done2026-04-22T19:22:42Zn5done2026-04-22T19:22:38Zm5done2026-04-20T17:24:37Zl5done2026-04-20T16:58:09Zk5done2026-04-20T16:58:09Zj5done2026-04-20T16:58:09Zi5done2026-04-20T16:58:09Zh5done2026-04-20T16:58:09Zg5done2026-04-20T16:58:09Zf5done2026-04-20T16:58:09Ze5done2026-04-20T16:58:09Zd5done2026-04-20T16:58:09Zc5done2026-04-20T16:58:09Zb5done2026-04-20T16:58:09Za5done2026-04-20T16:58:09Z`5done2026-04-20T16:58:09Z_5done2026-04-20T16:58:09Z^5done2026-04-20T16:58:09Z]5done2026-04-20T16:58:09Z\5done2026-04-20T16:58:09Z[5done2026-04-20T16:58:08ZZ5done2026-04-20T16:58:08ZY5done2026-04-20T16:58:08ZX5done2026-04-20T16:58:08ZW5done2026-04-20T16:58:08ZV5done2026-04-20T16:58:08ZU5done2026-04-20T16:58:08ZT5done2026-04-20T16:58:08ZS5done2026-04-20T16:58:08ZR5done2026-04-20T16:58:08ZQ5done2026-04-20T16:58:08ZP5done2026-04-20T16:58:08ZO5done2026-04-20T16:58:08ZN5done2026-04-20T16:58:08ZM5done2026-04-20T16:58:08ZL	5done2026-05-07T18:45:18Z�	5done2026-05-07T18:45:17Z�	5done2026-05-17T15:29:05Z�	5done2026-05-17T15:29:05Z�5done2026-04-20T16:58:08ZG5done2026-04-20T16:58:08ZF5done2026-04-20T16:58:08ZE5done2026-04-20T16:58:08ZD5done2026-04-20T16:58:08ZC5done2026-04-20T16:58:08ZB5done2026-04-20T16:58:08ZA5done2026-04-20T16:58:08Z@5done2026-04-20T16:58:08Z?5done2026-04-20T16:58:08Z>5done2026-04-20T16:58:08Z=5done2026-04-20T16:58:08Z<5done2026-04-20T16:58:08Z;5done2026-04-20T16:58:08Z:5done2026-04-20T16:58:08Z95done2026-04-20T16:58:08Z85done2026-04-20T16:58:08Z75done2026-04-20T16:58:08Z65done2026-04-20T16:58:08Z55done2026-04-20T16:58:08Z45done2026-04-20T16:58:08Z35done2026-04-20T16:58:08Z25done2026-04-20T16:58:08Z15done2026-04-20T16:58:08Z05done2026-04-20T16:58:08Z/5done2026-04-20T16:58:08Z.5done2026-04-20T16:58:08Z-5done2026-04-20T16:58:08Z,5done2026-04-20T16:58:08Z+5done2026-04-20T16:58:08Z*5done2026-04-20T16:58:08Z)5done2026-04-20T16:58:08Z(5done2026-04-20T16:58:08Z'5done2026-04-20T16:58:08Z&5done2026-04-20T16:58:08Z%5done2026-04-20T16:58:08Z$5done2026-04-20T16:58:08Z#5done2026-04-20T16:58:08Z"5done2026-04-20T16:58:08Z!5done2026-04-20T16:58:08Z 5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z 5done2026-05-07T18:45:33Z� 5done2026-05-07T18:45:32Z� 5done2026-05-07T18:45:24Z�5done2026-04-30T15:41:49Zu5done2026-04-30T15:41:33Zt5done2026-04-30T15:41:33Zs5done2026-04-23T13:56:29Zo5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z
5done2026-04-20T16:45:55Z	5done2026-05-07T18:45:15Z�.�
�
����b@�h:
�
�	�	Y��:��e3��=��_�J��r<�U�\.
�
z	�	�	
�_+���_s=��e/���R���K
�
�
�
a
?
�����
�
�
X
6
	�	~	4	������b�����sdUF7(
�����������w?
�
�
�
w
U
3
���xV4���~P"
�
�
�
n
L
*
	�	�	q	L	'���yE��yR-���}K���zU0���f0���X"���wE	�R��X&�k3
�
�
�
k
I��lJ(����rD
�
�
�
(
b
@
	�	�	�	d	?	���l8��
lE ���p>���mH#���Y#����K���jreleasechanged
addedv0.3.87releasechangedbenchmarkv0.3.86releasechangedv0.3.85releasechangedv0.3.84releasechanged
v0.3.83releasechanged
benchmark	v0.3.82releasechangedbenchmarkv0.3.81releasechangedbenchmarkv0.3.80release�changed�benchmark�v0.3.79�release�changed�benchmark�v0.3.78�release�changed�benchmark�v0.3.77�release�changed�benchmark�v0.3.76�release�
added�v0.3.75�release�results�
fixed�
added�v0.3.74�release�results�
fixed�v0.3.67�release�
added�v0.3.66�release�
fixed�v0.3.65�release�
added�v0.3.64�release�
fixed�
added�v0.3.63�release�
fixed�v0.3.62�release�
added�v0.3.61�release�results�
added�v0.3.60�release�results�
added�v0.3.59�release�results�
added�v0.3.58�release�
fixed�v0.3.57�release�
added�v0.3.56�release�results�changed�v0.3.52�release�
added�v0.3.51�release�changed�v0.3.50�release�changed�v0.3.49�release�
fixed�changed�
added�v0.3.48�release�results�changed�v0.3.47�release�results�changed�v0.3.46�release�results�changed�v0.3.44�release�
added�v0.3.43�release�
fixed�changed�v0.3.42�release�
fixed�v0.3.39�release�
fixed�changed�v0.3.38�release�
fixed�v0.3.37�release�
added�v0.3.36�release�
fixed�changed�
added�v0.3.35�release�
fixed�v0.3.34�release�removed�changed�v0.3.33�release�	fixedv0.3.32~release}	fixed|v0.3.31{releasez	fixedyv0.3.30xreleasewchangedv	addeduv0.3.28treleases	fixedrchangedq	addedpv0.3.27oreleasen	fixedmv0.3.26lreleasek	fixedj	addediv0.3.25hreleasegchangedf	addedev0.3.24dreleasecchangedb	addedav0.3.23`release_	fixed^v0.3.22]release\	added[v0.3.21ZreleaseYchangedXv0.3.20WreleaseV	fixedUv0.3.19TreleaseS	fixedR	addedQv0.3.18PreleaseO	addedNv0.3.17MreleaseL	addedKv0.3.15JreleaseI	fixedHv0.3.14GreleaseF	fixedE	addedDv0.3.13CreleaseB	fixedA	added@
v0.3.8?release>	added=
v0.3.5<release;	fixed:
v0.3.39release8	fixed7v0.2.256release5	fixed4v0.2.223release2	fixed1	added0v0.2.21/release.	fixed-	added,v0.2.20+release*	fixed)v0.2.17(release'	added&v0.2.16%release$	fixed#	added"v0.2.15!release 	fixedchanged	addedv0.2.13release!plan-id:71!plan-id:70!plan-id:69!plan-id:68!plan-id:67!plan-id:66!plan-id:65!plan-id:64!plan-id:63!plan-id:62!plan-id:61!plan-id:60!plan-id:59!plan-id:53
!plan-id:51!plan-id:49!plan-id:47
!plan-id:37	!plan-id:27!plan-id:20deferred!plan-id:10deferred
plan-id:9deferr-releaseS
��������	
�D��
�
o
O
/
����oO/����oO/
�
�
�
�
o
O
/
	�	�	�	�	o	O	/	����oO/�������k%�����_<
�
�
�
�
�
�
��z
G�1555Analysis capabilities roadmapDescription:
Track fundamental analysis limitations and potential improvements.

Details:
DONE. Updated docs/architecture.rst with comprehensive inventory of all 10
analysis modules, current capabilities table (17 entries), known limitations
table (8 entries with impact descriptions), per-CWE ceiling analysis, and
updated competitor landscape from 5-tool benchmark. Previous version was
heavily outdated (referenced "No VRA", "No whole-program analysis", 48% TP
rate — all now incorrect).

Original status line: done (v0.3.87)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�K
I�Q555Inter-procedural .c test casesDescription:
Multi-file C test cases for prescan/call-site propagation.

Details:
DONE. Added 13 multi-file CLI integration tests exercising 4 cross-file
prescan capabilities:

  1. Callsite null propagation (EXP34-C): NULL arg detected across files,
     no detection without -d, safe caller not flagged. (3 tests)
  2. can_return_null (EXP34-C): unchecked nullable return detected,
     checked return safe. (2 tests)
  3. frees_params (MEM31-C): cross-file free suppresses leak, no
     suppression without -d, actual leak still detected. (3 tests)
  4. header_declared_functions (DCL15-C): header-prototyped functions
     suppressed, all flagged without -d. (2 tests)

  Fixtures: tests/fixtures/cli/{crossfile_callsite_null, crossfile_frees,
  crossfile_header}. Each &#	5in-progress2026-05-17T15:29:05Z�#5pending2026-05-17T15:29:05Z�H#5pending2026-05-17T15:29:05Z�"	5pending2026-05-17T15:29:05Z�"	5pending2026-05-17T15:29:05Z�3#5pending2026-05-17T15:29:05Z�"5partial2026-04-20T16:45:55Z 5done2026-05-07T18:45:37Z�5done2026-04-30T15:42:09Z~5done2026-04-30T15:42:09Z}5done2026-04-30T15:42:09Z|5done2026-04-30T15:42:09Z{5done2026-04-30T15:42:09Zz5done2026-04-30T15:42:09Zy5done2026-04-30T15:41:49Zx5done2026-04-30T15:41:49Zw5done2026-04-30T11:20:20Zr5done2026-04-28T18:59:56Zq5done2026-04-23T17:44:45Zp5done2026-04-22T19:22:42Zn5done2026-04-22T19:22:38Zm5done2026-04-20T17:24:37Zl5done2026-04-20T16:58:09Zk5done2026-04-20T16:58:09Zj5done2026-04-20T16:58:09Zi5done2026-04-20T16:58:09Zh5done2026-04-20T16:58:09Zg5done2026-04-20T16:58:09Zf5done2026-04-20T16:58:09Ze5done2026-04-20T16:58:09Zd5done2026-04-20T16:58:09Zc5done2026-04-20T16:58:09Zb5done2026-04-20T16:58:09Za5done2026-04-20T16:58:09Z`5done2026-04-20T16:58:09Z_5done2026-04-20T16:58:09Z^5done2026-04-20T16:58:09Z]5done2026-04-20T16:58:09Z\5done2026-04-20T16:58:09Z[5done2026-04-20T16:58:08ZZ5done2026-04-20T16:58:08ZY5done2026-04-20T16:58:08ZX5done2026-04-20T16:58:08ZW5done2026-04-20T16:58:08ZV5done2026-04-20T16:58:08ZU5done2026-04-20T16:58:08ZT5done2026-04-20T16:58:08ZS5done2026-04-20T16:58:08ZR5done2026-04-20T16:58:08ZQ5done2026-04-20T16:58:08ZP5done2026-04-20T16:58:08ZO5done2026-04-20T16:58:08ZN5done2026-04-20T16:58:08ZM5done2026-04-20T16:58:08ZL5done2026-04-20T16:58:08ZK5done2026-04-20T16:58:08ZJ"5pending2026-04-20T16:45:55Z#5pending2026-05-07T18:45:40Z�"5pending2026-04-30T15:41:49Zv"5pending2026-04-20T16:45:55Z	"5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z!5	pending2026-04-20T16:45:55Z#5pending2026-05-07T18:45:29Z�#5pending2026-05-07T18:45:26Z�#5pending2026-05-07T18:45:22Z�J5pending2026-05-07T18:45:18Z�&#	5in-progress2026-05-07T18:45:18Z�5i5done2026-04-20T16:58:08ZI5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z

�F�	9==�f
M�555MEM31-C FP reduction for CWE-401Description:
Reduce MEM31-�3}��#55Paper — taint tracking for CWE-78/CWE-89 (future work)Description:
Expand cross-function taint tracking for injection CWEs,
  referenced in paper future work section.

Details:
Partial delivery via tasks 67-69 plus v0.3.99 (49A), v0.3.101 (49B),
v0.3.102 (49C), and v0.3.103 (49D). CWE-78 62.8% → **94.8%** (+32.0pp,
now exceeds clang-tidy), CWE-194 58.4% → **69.4%** (+11.0pp), CWE-195
48.7% → 52.5% (+3.8pp).

Delivered infrastructure:
  - `FunctionSummary.has_env03_taint_source` — body text scan for ~25
    taint sources (recv, fgets, scanf, getenv, Win32 I/O, etc.)
  - `FunctionSummary.returns_tainted` + `returns_from_callees`
    (v0.3.99, task 49A) — seeded from `has_env03_taint_source` on non-
    void returns, then propagated to fixpoint via
    `propagate_return_taint` so wrapper chains
    (`char *wrap() { return readIt(); }`) inherit the bit.
  - Reverse call graph built in each consuming rule from
    `ProjectContext.call_graph`.
  - Same-named static function merging in prescan (any tainted def
    poisons the merged summary; OR-merges both taint bits).

Rule integrations so far:
  - ENV03-C: parameter path → caller summary lookup (task 68); local
    command var `data = helper(...)` → callee clean-summary check
    (task 49A).
  - ENV33-C: pointer-parameter helper-sink path → transitive caller
    summary walk (task 49B). Mirrors ENV03-C task 68, with a BFS
    over the reverse call graph for Juliet variants 52c/53d/54e.
  - INT31-C: signed→size_t inside upper-bound guards → caller / callee /
    local-assignment summary lookups (task 69); `call_rhs_has_taint_source`
    now also treats `returns_tainted` callees as tainted (task 49A).
  - STR02-C: tainted-parameter → caller summary lookup (task 49D).
    Mirrors ENV33-C's BFS pattern; gated on "scope has no direct taint
    source" so local-recv paths stay flagging.

## Sub-task 49A — Return-value taint (DONE v0.3.99)

ENV03-C FP 468 → **324** (−144), TP 652 → 620 (−32). **4.5:1 FP:TP**
— cleanest ratio since task 67. CWE-78 TP rate 74.1% → **76.6%**
(+2.5pp). CWE-426 side benefit: FP −24 (1:1). Zero other-rule
regressions. INT31-C was neutral on Juliet; the wrapper pattern
exists in real-world code but Juliet CWE-194/195 v42 templates call
taint sources directly inside `badSource`, so the new transitive
bit had no additional TPs to catch there.

## Sub-task 49C — Function-pointer call graph + macro-aliased taint (DONE v0.3.102)

Two linked prescan fixes targeting Juliet v65a/b helper-sink variants.

1. `collect_callees` resolves function-pointer aliases. The function body
   is scanned once to build a local `pointer_var → target_function` map
   from init declarators (`void (*fp)(char *) = target;`) and later
   rebinds (`fp = target;`), then callees are emitted with aliases
   rewritten. Juliet v65a `caller → sink` edges are now first-class
   instead of landing as a `funcPtr` dead-end callee.

2. `has_env03_taint_source` also matc:�7
G�u5Paper — real bug case studyDescription:
Find and document a confirmed real defect in one of the 5
  open-source benchmark codebases detected by SqC but missed by cppcheck
  and clang-tidy.

Details:
Strongest paper contribution would be a confirmed bug (ideally with a CVE
or upstream fix) found by SqC.  Candidates:

  - EXP34-C on mosquitto (8,657 violations) — high volume, likely contains
    real null dereference paths.  Cross-reference with mosquitto's issue tracker.
  - ERR33-C on curl (unchecked return values) — curl has strict error handling
    conventions, violations may be real.
  - MEM30-C on any project — use-after-free is high-severity.

Process: run sqc on latest versions, export JSON, filter by high-severity
rules, manually verify top candidates, check if upstream has acknowledged
or fixed the issue.

Paper impact: new Section "Case Study" between Worked Example and Limitations.pending2026-04-20T16:45:55Z
�
4��x
_�555Third-party licensing and SBOM generationDescription:
Generate THIRD_PARTY_LICENSES.txt (cargo-about) and a
 CycloneDX SBOM (cargo-cyclonedx) on every release build, following
 the knots pattern.

Details:
Port the knots setup (~/data/knots/about.toml, ~/data/knots/about.hbs,
and the licensing/SBOM steps in ~/data/knots/.github/workflows/build.yml)
into sqc once the repo is on GitHub.

Files to add:
  - `about.toml` — cargo-about license allowlist. Start from the knots
    set: MIT, Apache-2.0 (+ LLVM-exception), BSD-2/3, ISC, Unicode-3.0,
    Unicode-DFS-2016, Zlib, 0BSD, MPL-2.0, CC0-1.0.
  - `about.hbs` — Handlebars template for THIRD_PARTY_LICENSES.txt
    (one block per license with `used_by` crate list + verbatim text).
  - `LICENSE` or `LICENSE-MIT` + `LICENSE-APACHE` — per task 70
    decision.

GitHub Actions steps (on release / tag push):
  - `cargo install cargo-about --locked`
  - `cargo about generate about.hbs -o THIRD_PARTY_LICENSES.txt`
  - `cargo install cargo-cyclonedx --locked`
  - `cargo cyclonedx --format json --spec-version 1.5`
    → produces `sqc.cdx.json`.

Artifact integration:
  - Stage `THIRD_PARTY_LICENSES.txt` and `sqc.cdx.json` alongside the
    binary in the release artifact bundle (task 53).
  - In deb/rpm/AppImage: install to
    `/usr/share/doc/sqc/{THIRD_PARTY_LICENSES.txt,sqc.cdx.json}`
    and `LICENSE` → `copyright` (deb) / `%license` (rpm).

Optional pre-commit / PR check: run `cargo about generate` in CI
without output redirection so a new dependency with a disallowed
license fails the build before merge.done2026-04-20T16:45:55Z2026-05-07T19:21:05Z2026-05-07T19:21:05Z�I
[�;555Migrate sqc from Azure DevOps to GitHubDescription:
Move the sqc repository from ADO to GitHub. Prerequisite for
 any release workflow, external contribution, or public paper artifact.

Details:
sqc is currently hosted on Azure DevOps. Moving to GitHub unblocks:
  - GitHub Actions release workflows (task 53 binary distribution,
    task 71 licensing/SBOM).
  - `sqc-analysis.yml` (already checked in) — SARIF upload to GitHub
    Code Scanning requires the repo to live on GitHub.
  - External visibility for the paper (task 51) and public bug
    reports against real-world benchmark targets (task 47).

Decisions needed before the move:
  - **Licensing.** `Cargo.toml` declares `MIT OR Apache-2.0` but no
    LICENSE file is checked in. Decide between dual-license (ship
    `LICENSE-MIT` + `LICENSE-APACHE`, Rust convention) or pick one.
    Outcome feeds task 71 artifact layout.
  - **Repo name + org** (personal vs. corporate).
  - **History sanitization.** Review for internal paths, proprietary
    codebase references, or customer-specific fixtures that should
    not become public.
  - **Issue / proposal transfer.** AGENTS/PROPOSALS and planning docs
    can move with the repo; ADO work-item history probably cannot.

Move mechanics: mirror-clone ADO repo with full history, push to the
new GitHub remote, archive the ADO project (read-only) for a transition
period, redirect any CI hooks.done2026-04-20T16:45:55Z2026-05-07T19:21:05Z2026-05-07T19:21:05Z
	~-��-
�	~�2
+�=555Release v0.2.16[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- EXP34-C Phase 2: call-site null propagation. Call-site flagging for
  DefinitelyNull args. Callee param seeding via `infer_arg_null_state()`.
  Multi-pass aggregation with lattice join.
- CWE-476: +19 TP, +17 FP (rate 35.9% -> 36.6%).done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�m
+�3555Release v0.2.15[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- EXP34-C Phase 1: CFG-based null state dataflow (`src/analyze/null_state.rs`).
  Forward dataflow with NullState lattice. EXP34-C rewritten from ~1200-line
  linear walk to CFG-based analysis.

### Fixed

- MEM10-C: parameter-only null check fix (-106 FP on CWE-476).
- d_lib_common FP round 2: resolved all 17 FP patterns (~51 violations). Key
  fixes: FIO46-C source-order stream tracking, INT32-C field_expression skip,
  FLP03-C scientific notation, EXP12-C parent-check, INT01-C sizeof skip.
- Juliet: -10,678 FP (-5.4%), TP rate 44.7% -> 44.2%.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�)
+�+555Release v0.2.13[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- INT31-C implicit narrowing assignment detection:
  `check_assignment_conversion()` for `init_declarator` and
  `assignment_expression`. Type width comparison with FP suppressions
  (double-flag, validated vars, bounds-check, literal-fits, bitmask).

### Fixed

- DCL19-C: `STATIC` macro recognition.
- INT32-C: skip unsigned operands in binary overflow checks.
- DCL15-C: skip functions with prototypes in `.h` headers.
- INT36-C: exclude struct field access and array subscript.
- PRE31-C: skip string literal arguments from side-effect analysis.
- EXP30-C: recognize `x = f(x)` as safe.
- INT30-C: detect `if (var > 0)` guard before unsigned decrement.
- DCL07-C/31-C: skip indirect calls and preprocessor-guarded blocks.
- Juliet: 44.6% -> 44.7% TP rate, -13,961 FP (-6.6%).

### Changed

- Prescan: `linkage_specification` (`extern "C" {}`) traversal in all walkers.
  `pointer_declarator` handling for pointer-returning prototypes.
  `header_declared_functions` field in `ProjectContext`.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Zj�
+�555Release v0.2.17[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- EXP34-C Phase 3: MEM10-C positive guard suppression (-38 FP). API02-C
  `const wchar_t *` exclusion. API00-C caller-aware suppression via function
  summaries. Prescan local variable tracking for callsite null state resolution.
- CWE-476: TP 313 -> 320 (+7), FP 542 -> 512 (-30), rate 36.6% -> 38.5%.
- CWE-690 bonus: +36 TP, -63 FP.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z
����	�0�-

E�555Binary distribution packagesDescription:
Generate AppImage, Windows .exe, .deb, and .rpm packages for sqc.

Details:
Packaging targets:
  - AppImage (Linux portable): use cargo-appimage or linuxdeploy with sqc binary +
    .desktop file + icon. Single self-contained executable for any Linux distro.
  - Windows .exe: cross-compile with x86_64-pc-windows-gnu or -msvc target.
    Optionally wrap in an MSI installer via cargo-wix.
  - .deb (Debian/Ubuntu): use cargo-deb. Include sqc binary in /usr/bin/,
    man page (task 52) in /usr/share/man/man1/, config examples in
    /usr/share/doc/sqc/. Set dependencies (libc6).
  - .rpm (Fedora/RHEL): use cargo-generate-rpm. Same file layout as .deb.

CI/CD integration: GitHub Actions matrix build with release artifacts uploaded
on tag push. Use cross for cross-compilation where needed.

Artifact bundle (per knots reference in ~/data/knots/.github/workflows/build.yml):
binary + LICENSE + THIRD_PARTY_LICENSES.txt + sqc.cdx.json (from task 71).done2026-04-20T16:45:55Z2026-05-07T19:21:05Z2026-05-07T19:21:05Z�
	
W�5Paper — finalization and submissionDescription:
Final paper revisions, formatting, and submission preparation.

Details:
Current state: paper/sqc.tex compiles to 10 pages, two-column, with 5 figures,
8 tables, and 11 references.  Uses plain article class.

Remaining items:
  - Update numbers when tasks 46-47 complete
  - Choose target venue and switch to appropriate template:
    * IEEE S&P / USENIX Security / ACM CCS (top tier, competitive)
    * NDSS / ACSAC (strong security venues)
    * IEEE SecDev / SCORED (tools-focused, better fit)
    * ICSME / ASE (software engineering, tool papers track)
  - Add Eric and Tristan's institutional affiliation if not BISSELL
  - Review by co-authors
  - Proofread and style consistency passpending2026-04-20T16:45:55Z�f
M�555MEM31-C FP reduction for CWE-401Description:
Reduce MEM31-C FPs on CWE-401 (memory leak).
 CWE-401: 77.6% vs clang-tidy 83.9% (−6.3pp, 220 FP remaining)

Details:
DONE. MEM31-C: 786 TP/763 FP → 761 TP/220 FP (-543 FP, -25 TP, 21.7:1 ratio).
CWE-401 TP rate 50.7% → 77.6% (+26.9pp). Rule FP rate 49.3% → 22.4%.

  Three fixes:
  1. Prescan callee-frees-param: integrate FunctionSummary.frees_params.
  2. Transitive free propagation: param pass-through + fixpoint in prescan.
  3. If/else branch merge: UNION of freed memory from both branches.

  Remaining 220 FPs: switch constants, pointer-to-pointer, global variables.

Original status line: done (v0.3.86)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55ZE�5Binary distribution packagesDescription:
Generate AppImage, Windows .exe, .deb, and .rpm packages for sqc.

Details:
Packaging targets:
  - AppImage (Linux portable): use cargo-appimage or linuxdeploy with sqc binary +
    .desktop file + icon. Single self-contained executable for any Linux distro.
  - Windows .exe: cross-compile with x86_64-pc-windows-gnu or -msvc target.
    Optionally wrap in an MSI installer via cargo-wix.
  - .deb (Debian/Ubuntu): use cargo-deb. Include sqc binary in /usr/bin/,
    man page (task 52) in /usr/share/man/man1/, config examples in
    /usr/share/doc/sqc/. Set dependencies (libc6).
  - .rpm (Fedora/RHEL): use cargo-generate-rpm. Same file layout as .deb.

CI/CD integration: GitHub Actions matrix build with release artifacts uploaded
on tag push. Use cross for cross-compilation where needed.

Artifact bundle (per knots reference in ~/data/knots/.github/workflows/build.yml):
binary + LICENSE + THIRD_PARTY_LICENSES.txt + sqc.cdx.json (from task 71).pending2026-04-20T16:45:55Z
		�{
u�555EXP34-C null safety through if-guards and &stack_varDescription:
Reduce EXP34-C FPs where null safety is established by
 if-guard-with-early-return or &stack_variable callers (~16 FPs).

Details:
DONE. Patterns A and B were already fixed by cumulative EXP34-C work
(v0.3.82 AST-level null guard fallback, v0.2.20 &stack_var propagation).
Verified on all four target embedded codebases (d_lib_common,
d_lib_serial_leds, d_lib_networking, d_lib_airpath_debris_sensing):
zero EXP34-C FPs remain except one `Memory_Free(NULL)` wrapper case.

v0.3.90-0.3.91 broadened the fix to related idioms surfaced by the
realworld benchmark:

  1. `PARAM == 0` / `PARAM != 0` null-check detection (plus reversed-
     operand and all-spacing variants). sqlite/libcurl consistently use
     this idiom (e.g. `if(pStmt==0) return ...`) — previously unrecognized.
  2. EXP34-C: skip deref-function arg check when callee is in the
     null-safe list. `free(NULL)` and `realloc(NULL, n)` are defined
     per C11 7.22.3.3 / 7.22.3.5 — flagging them is incorrect.
  3. Alias null-check recognition: `TYPE *alias = param;` followed by
     a null-check on `alias` logically null-checks `param`. Common in
     libcurl wrappers (curl_easy_setopt, curl_multi_cleanup).

Benchmark (v0.3.89 → v0.3.91):
  Realworld: −321 violations total. EXP34-C −242, API00-C −79.
    sqlite −285, mosquitto −30, curl −3, libcrc −3, hostap 0.
  Juliet: TP −102 (all CWE-690 free() with potentially-null arg —
    by-design suppression, not a regression). FP unchanged.

Pattern C (callback `void *` params) remains open but is lower priority
(requires trust annotations or library modeling).

Original status line: done (v0.3.91)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
���
}�1555API00-C validation look-ahead past variable declarationsDescription:
Reduce API00-C FPs where parameter validation exists but
 is not detected due to intervening variable declarations (~12 FPs).

Details:
Three sub-patterns triaged:

  A. **Validation past var decls** — already handled pre-v0.3.97. The
     existing `check_validation_patterns` walks the entire body (not just
     the first N statements) and `collect_else_if_chain_validations`
     traverses full if/else-if/else chains, so cases like
     `Ringbuffer_read` (if/else-if/else with NULL checks after a
     `result_e result = …;` declaration) no longer FP. Verified on
     d_lib_common with API00-C suppressions stripped — zero FPs for this
     sub-pattern.

  C. **void\* container where NULL is valid** — implemented in v0.3.97.
     New type-aware suppression: a `void *` / `const void *` parameter
     that is never dereferenced locally (`*p`, `p->x`, `p[i]`) and
     passes through only to null-accepting stdlib sinks (free, realloc,
     Memory_Free, Memory_Realloc, cfree) or callees whose summary
     validates the corresponding argument is treated as a generic-
     container slot where NULL is a valid value.

     Helpers: `is_generic_void_pointer_type` (bare `void *`, rejects
     `void **` and array decls) + `is_void_ptr_storage_safe` (walks the
     body, collects every parent-kind, returns true only if every use is
     storage-like or a verified safe call).

     Results (Juliet v0.3.96 → v0.3.97):
       - API00-C: TP 90→84 (-6), FP 116→104 (-12). **2.0:1 FP:TP**.
       - CWE-476 TP rate 58.9% → **59.6%** (+0.7pp).
       - Overall TP rate unchanged at 63.4%.
       - Zero other-rule regressions.

     Real-world d_lib_common: 1 → 0 API00-C FP (ArrayList_Append).

  B. **Embedded API contract — no NULL check by design** (3 FPs in
     airpath, ~17 FPs in serial_leds). Deferred. All remaining real-
     world API00-C FPs are public-API functions that dereference `ctx`
     without validation by hardware-contract design (e.g.
     `DebrisSensor_AdcSample`, `SerialLeds_set_*`). No clean AST-level
     signal distinguishes these from genuine FPs — continuing to rely
     on `SQC-SUPPRESS: API00-C` at the function site. Options considered
     and rejected:
       * Skip all public API with `_set_` / `_Init` / `_update` prefixes
         — too broad; masks real bugs in other projects.
       * Require explicit header prototype + Doxygen `@pre` — no
         reliable way to parse `@pre` contracts from tree-sitter.
       * Switch API00-C severity to Low for non-static functions —
         doesn't reduce FP count, only its visibility.

Original status line: done (v0.3.97) — A already covered, C implemented, B deferreddone2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z

���
q�O555DCL19-C / DCL00-C scope and const-qualify FP fixesDescription:
Fix DCL19-C flagging public API functions and DCL00-C
 flagging loop counter variables (6 FPs in serial_leds).

Details:
DONE. Both fixes landed in v0.3.88 via commit 2c78eac2.

  A. **DCL19-C on public API** — `set_project_context` receives
     `header_declared_functions` from prescan; the "should be static"
     check now skips any function whose name appears in a header
     traversed via `-I`. serial_leds `SerialLeds_set`,
     `SerialLeds_set_rgb`, `SerialLeds_set_brightness`: 3 → 0.

  B. **DCL00-C on loop counters** — `is_in_for_loop_init` walks up
     the declaration's parent chain to detect when the declaration is
     itself the init clause of a `for_statement`. serial_leds
     `uint8_t g` across three for-loops: 3 → 0.

Original status line: done (v0.3.88)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�\
m�O555EXP02-C extended short-circuit guard recognitionDescription:
Extend EXP02-C guard pattern recognition beyond
 NULL_CHECK && fn_call to cover all common guard idioms (4 FPs).

Details:
DONE. Landed over two rounds.

v0.3.88 (task 64 initial): extended the NULL-guard exemption to `||`
and added `has_mutation_side_effects` so `p || (p = malloc(...))`
and `i++ > 10` still flag.

v0.3.98 (task 64 remaining): generalized the guard check from
null-specific substring matching to AST-based comparison detection.
`is_guard_pattern` now recognises any `binary_expression` whose
operator is `==`, `!=`, `<`, `>`, `<=`, or `>=`, plus compound
`&&` / `||` chains whose leaves are guards (recursive),
plus truthiness (bare identifier / `!x`) and parenthesized
wrappers. Combined with the preserved mutation check, the rule now
correctly suppresses:

  file_size > 0 && buflen >= file_size && fseek(...)
  self == NULL || IntSet_Contains(self, element)
  len == capacity && !growCapacity(self)
  arr->len == arr->cap && !ArrayList_growCapacity(arr)

while still flagging:

  p || (p = malloc(...))           — assignment in RHS
  a > 0 && ++count > 10            — update in RHS

Juliet: zero delta (all 4 EXP02-C tests still pass, CWE-taxonomy
totals unchanged). Real-world: EXP02-C delta below the top-5
per-rule threshold (task 64 targets d_lib_common, outside the
real-world benchmark set).

Original status line: done (v0.3.98)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�{
y�555MEM05-C / ARR32-C false VLA and stack allocation fixesDescription:
Fix false VLA detection and spurious stack allocation
 warnings (3 FPs across 2 codebases).

Details:
DONE. All three embedded FPs resolved by a single root-cause fix: the
MEM05-C VLA detector was text-matching `[...]` anywhere in a
declaration, so array subscripts inside initializers were
misclassified as variable-length sizes.

  1. **ARR32-C on header-defined constant** — `is_all_constant_expression`
     recursively walks binary_expression leaves, so
     `[MAX_LEDS * BYTES_PER_LED]` now passes as a constant expression
     when both identifiers are ALL_CAPS macros.
  2. **MEM05-C on array subscript** — `find_array_declarator_size`
     looks for an actual `array_declarator` node instead of bracket
     text, and `init_declarator`'s value field is explicitly skipped
     so `uint8_t x = arr[i]` is no longer a "VLA".
  3. **MEM05-C on 1-byte stack variable** — same AST-level fix. The
     "large stack allocation" message never fires; previous FPs were
     subscripts-in-initializers misclassified as VLAs. No size
     threshold was needed.

Empirical impact (serial_leds / airpath, suppressions stripped):
  serial_leds MEM05-C: 1 → 0
  serial_leds ARR32-C: 1 → 0
  airpath     MEM05-C: 1 → 0

Original status line: done (v0.3.88)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
��;�m
�_555ENV03-C locally-safe popen/system command var suppressionDescription:
Reduce ENV03-C FPs on Juliet CWE-78 goodG2B functions where
 the command variable is provably derived from string literals only.

Details:
DONE. ENV03-C FP 1272→612 (-660), TP 912→752 (-160). **4.1:1 FP:TP**,
cleanest ratio since v0.2.23.

Approach: new `is_command_var_locally_safe()` in env03_c.rs. Fixpoint over
char-array declarations and pointer aliases, then walks every write to the
command variable. Suppress only when every write is from a string literal,
a locally-init�
e�Q#55Miscellaneous embedded FP fixes (small wins)Description:
Fix assorted small FP patterns found across embedded
 codebases (~20 FPs total across multiple rules).

Details:
Collection of lower-count FPs that don't warrant individual tasks:

  1. **INT32-C sizeof(*ctx)** (serial_leds 1 FP): `sizeof(*ctx)` in
     memset is not signed overflow. sizeof always returns size_t.
     DONE (v0.3.98). `check_memory_function_overflow` now early-returns
     when the size argument is a `sizeof_expression`, alongside the
     existing `field_expression` exemption. The text-based
     `contains_arithmetic` false-matched the `*` inside
     `sizeof(*ctx)`. Real-world impact: INT32-C −239 (sqlite −169,
     curl −67, mosquitto −3); libcrc/hostap unaffected. Juliet zero
     delta.
  2. **INT33-C provably non-zero divisor** (serial_leds 2 FPs):
     Animation period set by API, never zero. Requires caller context.
  3. **DCL13-C direct call flagged as function pointer** (serial_leds
     2 FPs): Functions called directly, not th�v
e�555Miscellaneous embedded FP fixes (small wins)Collection of lower-count FPs that don't warrant individual tasks:

  1. **INT32-C sizeof(*ctx)** — DONE (v0.3.98)
  2. **INT33-C non-zero constant macro divisor** — DONE (v0.3.115)
  3. **DCL13-C direct call flagged as function pointer** (serial_leds 2 FPs): not reproducible in current scan
  4. **ARR00-C/ARR01-C bounded array access** (serial_leds 4 FPs): value-range-dependent, deferred
  5. **INT01-C protocol field types** (common 4 FPs): not appearing in current scan
  6. **DCL30-C struct member pointer** (serial_leds 1 FP): not appearing in current scan
  7. **INT00-C explicit uint32_t casts** (serial_leds 1 FP): not appearing in current scan
  8. **MEM30-C sequential frees** — DONE (v0.3.114)
  9. **EXP33-C for-loop init** — MOOT (sqc already handles correctly; code refactored to C99 style)
  10. **ARR36-C integer comparison** (common 1 FP): suppressed in d_lib_common, deferred

## Fix notes

### #1 INT32-C sizeof (v0.3.98)
check_memory_function_overflow early-returns when size arg is sizeof_expression.
INT32-C -239 realworld; Juliet zero delta.

### #8 MEM30-C sequential frees (v0.3.114)
is_freed() union_members loop: strip_prefix + check remainder starts with -> or .
Avoids matching base var itself. Juliet: zero delta. Fixes d_lib_common arraylist.c FP.

### #9 EXP33-C for-loop init — MOOT
sqc CFG puts for-loop initializer in pre-header block before first read.
d_lib_common intset.c refactored to C99 style anyway; no FP in current scan.

### #2 INT33-C non-zero constant macro divisor (v0.3.115)
is_divisor_checked() fast-path: try_evaluate_expr() + file_macros.
Non-zero integer constant macro (BRIGHTNESS_MAX=255) suppresses violation.
Requires -d prescan for cross-file header macros. Fixes 3 FPs in d_lib_serial_leds.
Juliet CWE-369: zero delta.done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-30T00:24:48Z
��	����555INT31-C taint-aware suppression for signed→size_t conversionsDescription:
Reuse ENV03-C's taint-source summary bit to suppress
 INT31-C FPs on Juliet CWE-194/195 helper-function variants.

Details:
DONE. INT31-C FP 2172→1452 (-720), TP 2608→2142 (-466). 1.54:1 FP:TP.

App�m
�_555ENV03-C locally-safe popen/system command var suppressionDescription:
Reduce ENV03-C FPs on Juliet CWE-78 goodG2B functions where
 the command variable is provably derived from string literals only.

Details:
DONE. ENV03-C FP 1272→612 (-660), TP 912→752 (-160). **4.1:1 FP:TP**,
cleanest ratio since v0.2.23.

Approach: new `is_command_var_locally_safe()` in env03_c.rs. Fixpoint over
char-array declarations and pointer aliases, then walks every write to the
command variable. Suppress only when every write is from a string literal,
a locally-initialized buffer, or strcat/strcpy with a literal source.

Short-circuits that still flag:
  - Direct string literal (defense-in-depth preserved for existing tests).
  - Function parameter (caller-supplied, handled by task 68).
  - Any taint-source call in scope (recv, fgets, scanf, getenv, etc.).

Required allowing macro-identifier initializers on char arrays — `char
buf[N] = FULL_COMMAND;` is legal C only for macros, so any identifier in
that position is treated as a literal.

CWE-78 TP rate 62.8% → 72.3% (+9.5pp). Overall TP rate 61.7% → 62.5%
(+0.8pp). Zero other-rule regressions.

Original status line: done (v0.3.94)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�u
w�w555ENV03-C cross-function taint for helper-sink variantsDescription:
Suppress ENV03-C FPs in Juliet CWE-78 variants 41-45 where
 the popen/system call lives in a helper function receiving data as a
 parameter.

Details:
DONE. ENV03-C FP 612→468 (-144), TP 752→652 (-100). 1.44:1 FP:TP —
diminishing returns as the remaining target shrinks.

New infrastructure:
  * `FunctionSummary.has_env03_taint_source` bit — populated via body
    text scan for recv/fgets/scanf/getenv-style calls (~25 functions).
  * ENV03-C parameter path consults reverse call graph (callee → callers)
    built from `ProjectContext.call_graph`. Suppress only when every
    caller's summary is clean.

Prescan bug fix (affects other inter-procedural rules too):
  * `collect_call_graph` used `.insert()`, so multiple files with `static
    void goodG2B()` overwrote each other and dropped caller edges.
    Changed to `.entry().or_default().extend()` for call edges, and
    OR-merge for `has_env03_taint_source`. Same-named static merging is
    conservative (any tainted def poisons the merged summary).

Results: CWE-78 TP rate 72.3% → 74.1% (+1.8pp). Overall TP rate 62.5% →
62.7% (+0.2pp). Side effect: EXP34-C -6 FP / 0 TP (prescan merging
recovered a few missed caller links).

CWE-426 (Untrusted Search Path): -24 TP / -24 FP — neutral. Remaining
~468 ENV03-C FPs are v42/v22a-style (`data = helper(data)` return-tainted
assignments) and v45-style (global-static pointers) — need return-value
taint or global-write tracking to shrink further.

Original status line: done (v0.3.95)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
+�w���tclody text scan for ~25
    taint sources (recv, fgets, scanf, getenv, Win32 I/O, etc.)
�l
+�1555Release v0.2.21[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- Const-eval / value-range analysis module (`src/analyze/const_eval.rs`, ~550
  lines). `MacroConstantMap` for `#define` constant collection.
  `ValueRange { min, max }` interval arithmetic. `try_evaluate_expr()` /
  `try_evaluate_range()` for recursive AST constant folding.
  `extract_loop_var_ranges()` for loop bounds. Integrated with INT32-C and
  INT30-C.

### Fixed

- Benchmark measurement: analysis script now outputs all rules (previously top
  10 only). 16 existing runs reanalyzed. Eliminated phantom regressions from
  top-10 truncation.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�1
+�;555Release v0.2.20[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- `-I`/`--include-path` flag: pre-pass extracts `#include` directives, resolves
  against search paths. Transitive include resolution with cycle prevention.

### Fixed

- MSC37-C: `STATIC void` macro prefix, `has_void_specifier()` scans all
  children for `void`.
- INT36-C: `(void)` discard cast, bare `void` no longer matched as pointer
  type.
- PRE02-C: trailing comment stripping in macro values.
- ERR33-C: `(void)` cast recognized as intentional discard.
- CON03-C: skip `const`-qualified variables and synchronization primitive types.
- DCL30-C: scalar value copy through pointer no longer flagged as address
  escape.
- FIO47-C: snprintf argument count corrected (subtract 3, not 1).
- EXP37-C: init_declarator skip for K&R-style declarations.
- API00-C: skip static functions + caller-aware suppression via NotNull.
- INT01-C: eliminated double-visit dedup fix (-3 duplicate violations).
- EXP34-C: array declarations tracked as NotNull in prescan.
- Juliet: -2,720 FP, TP rate 44.1% -> 44.2%.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z��-
+�3555Release v0.2.22[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- ARR02-C: skip implicit bounds check for string-literal-initialized arrays.
- POS02-C: removed `socket`/`setsockopt` from privileged operations.
- PRE31-C: strip string literal content before function-call pattern checks.
- MEM05-C: ALL_CAPS macro constant VLA detection + word-boundary recursion
  matching.
- INT32-C: `is_inside_bounds_checked_block()` extended to while/for statements.
  `extract_mutation_target()` ensures loop-bounded variable matches operation.
- INT30-C: skip subtraction when either operand is `uint64_t`.
- Const-eval: `ValueRange::shl()` clamps negative shift-amount lower bounds
  to 0.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z)C>=:9845 !"#6$%&+,/0123BC=>��`@ ����`@ ��uR/��jG$���
   instead of landing a"5pending2026-04-30T15:41:49Zv"5pending2026-04-30T15:41:49Zu"5pending2026-04-30T15:41:33Zt"5pending2026-04-30T15:41:33Zs�5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z
"5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z	"5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z"5pending2026-04-20T16:45:55Z!5	pending2026-04-20T16:45:55Z&#5in-progress2026-04-30T11:20:20Zr&#5in-progress2026-04-20T16:45:55Z5done2026-04-28T18:59:56Zq5done2026-04-23T17:44:45Zp5done2026-04-22T19:22:42Zn5done2026-04-22T19:22:38Zm5done2026-04-20T17:24:37Zl5done2026-04-20T16:58:09Zk5done2026-04-20T16:58:09Zj5done2026-04-20T16:58:09Zi5done2026-04-20T16:58:09Zh5done2026-04-20T16:58:09Zg5done2026-04-20T16:58:09Zf5done2026-04-20T16:58:09Ze5done2026-04-20T16:58:09Zd5done2026-04-20T16:58:09Zc5done2026-04-20T16:58:09Zb5done2026-04-20T16:58:09Za5done2026-04-20T16:58:09Z`5done2026-04-20T16:58:09Z_5done2026-04-20T16:58:09Z^5done2026-04-20T16:58:09Z]5done2026-04-20T16:58:09Z\5done2026-04-20T16:58:09Z[5done2026-04-20T16:58:08ZZ5done2026-04-20T16:58:08ZY5done2026-04-20T16:58:08ZX5done2026-04-20T16:58:08ZW5done2026-04-20T16:58:08ZV5done2026-04-20T16:58:08ZU5done2026-04-20T16:58:08ZT5done2026-04-20T16:58:08ZS5done2026-04-20T16:58:08ZR5done2026-04-20T16:58:08ZQ5done2026-04-20T16:58:08ZP5done2026-04-20T16:58:08ZO5done2026-04-20T16:58:08ZN5done2026-04-20T16:58:08 5done2026-05-07T18:45:24Z� 5done2026-05-07T18:45:33Z� 5done2026-05-07T18:45:32Z�	5done2026-05-07T18:45:15Z5done2026-04-30T15:41:49Zu5done2026-04-30T15:41:33Zt5done2026-04-30T15:41:33Zs5done2026-04-20T16:58:08ZE5done2026-04-20T16:58:08ZD5done2026-04-20T16:58:08ZC5done2026-04-20T16:58:08ZB5done2026-04-20T16:58:08ZA5done2026-04-20T16:58:08Z@5done2026-04-20T16:58:08Z?5done2026-04-20T16:58:08Z>5done2026-04-20T16:58:08Z=5done2026-04-20T16:58:08Z<5done2026-04-20T16:58:08Z;5done2026-04-20T16:58:08Z:5done2026-04-20T16:58:08Z95done2026-04-20T16:58:08Z85done2026-04-20T16:58:08Z75done2026-04-20T16:58:08Z65done2026-04-20T16:58:08Z55done2026-04-20T16:58:08Z45done2026-04-20T16:58:08Z35done2026-04-20T16:58:08Z25done2026-04-20T16:58:08Z15done2026-04-20T16:58:08Z05done2026-04-20T16:58:08Z/5done2026-04-20T16:58:08Z.5done2026-04-20T16:58:08Z-5done2026-04-20T16:58:08Z,5done2026-04-20T16:58:08Z+5done2026-04-20T16:58:08Z*5done2026-04-20T16:58:08Z)5done2026-04-20T16:58:08Z(5done2026-04-20T16:58:08Z'5done2026-04-20T16:58:08Z&5done2026-04-20T16:58:08Z%5done2026-04-20T16:58:08Z$5done2026-04-20T16:58:08Z#5done2026-04-20T16:58:08Z"5done2026-04-20T16:58:08Z!5done2026-04-20T16:58:08Z 5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:58:08Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-23T13:56:29Zo5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z5done2026-04-20T16:45:55Z
5done2026-04-20T16:45:55Z
�� lands variant 65;
variant 67 wasn't in the measured FP contributors this round.

## Sub-task 49D — STR02-C caller-aware suppression (DONE v0.3.103)

Port the ENV33-C task 49B template to STR02-C. Previously STR02-C
tainted every parameter by default ("params are external input") and
flagged any `system()` / `popen()` whose arg resolved to a tainted
variable — so every Juliet `_goodG2BSink(char *data) { popen(data); }`
produced an FP. New gate�0
m�w555INT30-C embedded guard/bound pattern recognitionDescription:
Reduce INT30-C FPs on bounded embedded arithmetic.

Details:
DONE. Work spread across v0.3.88, v0.3.89, v0.3.92, v0.3.93.

Patterns recognized across the four commits:

  1. **Bitmask wrapping** (`(x + 1) & MASK`): v0.3.88 via
     `is_addition_masked_by_bitand`. Applies to addition only — the mask
     bounds the result regardless of any wrap.
  2. **Narrow-pre-cast addition/multiplication**: v0.3.88 + v0.3.89 via
     `both_operands_narrow_pre_cast` /`is_narrow_cast_plus_small_const` /
     `is_narrow_cast_times_small_const` using `effective_operand_type`
     that peers through explicit casts to recover `uint8_t` / `uint16_t`.
  3. **(WIDE)(a - b) guarded by `a > b + POS`**: v0.3.89 via
     `is_cast_over_guarded_narrow_sub` + `cond_gt_b_plus_positive`.
  4. **Same-array subtraction / widened comparison**: covered by
     narrow-pre-cast + guarded-subtraction combination.
  5. **Wide-unsigned struct-field `++`/`--`** (`ctx->tick++`,
     `obj.seq--`): v0.3.92 direct skip in `check_increment_decrement`.
     Monotonic counter fields wrap at 2^32/2^64 and are benign; Juliet
     CWE-190/191 only exercises local-variable `++`, so no TP loss.
  6. **Thin calloc wrapper** (`calloc(nmemb, size)` where both args are
     function parameters): v0.3.92 via
     `calloc_args_are_function_params` — delegates overflow to C11
     calloc (§7.22.3.2).
  7. **Implicit-else early-exit guard** (`if (a < b) return; /* a - b */`):
     v0.3.92 via `preceding_early_exit_guards_subtraction` + the new
     `if_always_exits` helper.

Infrastructure fixes surfaced along the way:
  * v0.3.92: `get_function_arguments` now iterates named children, so
    `args[0]` is the real first argument instead of a `(` token. This
    unmasked a latent bug where malloc/realloc multiplication overflow
    detection was silently disabled and calloc messages read
    `calloc((, nmemb)`.
  * v0.3.93: dropped the dedicated malloc/realloc allocation-overflow
    check. `check_multiplication` already covers the inner `*` (with
    full VRA + SIZE_MAX-guard awareness), so the allocation-level check
    produced nothing but duplicate diagnostics and occasional FPs on
    provably-safe good-paths. Calloc keeps its dedicated check because
    its multiplication is implicit.
  * v0.3.92: `has_function_context_check` falls back to the translation
    unit for snippet-style tests without an enclosing function.

Empirical impact on target embedded codebases (INT30-C suppressions
stripped for measurement, -I include paths unchanged):
  d_lib_common:          1 → 0 INT30-C FPs
  d_lib_serial_leds:    12 → 8 INT30-C FPs
  d_lib_airpath:         2 → 2 (unchanged; bounded-shift compound
                                addition, see Remaining below)
  d_lib_networking:      0 → 0

Real-world (v0.3.91 → v0.3.93): **−187 INT30-C violations**
  curl:      -106   mosquitto:  -44
  sqlite:     -37   libcrc:       0

Juliet v0.3.93 vs v0.3.91: zero delta across all 74 CWEs (the v0.3.92
duplicate-diagnostic regression on CWE-680 was fully reversed by the
v0.3.93 dedupe).

Remaining serial_leds FPs need narrow-operand propagation through local
assignments (brightness arithmetic via `uint32_t range = (uint32_t)a -
(uint32_t)b` then `range * time`). Airpath FPs need shift-aware
effective-type recognition for compound accumulators (`ctx->ad_sum +=
(... >> SHIFT) + 1`). Both deferred — low FP count, risk of Juliet TP
regressions on CWE-190/191.

Original status line: done (v0.3.93)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
�99I"	�>�:�$
+�]555Release v0.3.14### Fixed

- Juliet regression investigation: full-suite benchmark 126,106 TP, 158,036 FP,
  44.4% TP rate. Confirmed regression is cumulative effect of individually
  correct suppressions. Discovered scoring methodology issues (off-by-one in
  FLAW-line matching, incidental noise scored as TP).done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z]�+
+�555Release v0.3.22### Fixed

- ARR38-C: function-scoped alias resolution prevents cross-function
  contamination. Skip heuristic checks when buffer size is verified. CWE806:
  function-scoped `find_content_size_in_function()` tracks `memset(var, char,
  N)`. -183 CWE806 FP, -69 CWE805 FP.
- ARR30-C: multi-assignment constant resolution via
  `try_resolve_variable_to_constant`. Extract only condition from AST instead
  of searching full if-body text. -67 CWE129 FP.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�*
+�555Release v0.3.21### Added

- CWE-121/122 buffer overflow detection: ARR30-C gains literal loop bounds,
  ALLOCA tracking, pointer alias tracking. ARR38-C gains ALLOCA detection,
  strlen/wcslen overflow, snprintf variants, pointer alias resolution,
  N*sizeof(type) parsing.
- Juliet: CWE-121 39.3% -> 39.9% TP rate, CWE-122 41.7% -> 36.6%.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�`)
+�555Release v0.3.20### Changed

- Benchmark infrastructure overhaul: new `bench/` package replaces shell scripts
  with Python runner + SQLite. `bench/runner.py` with `ProcessPoolExecutor`,
  `bench/analyzer.py` for TP/FP classification, `bench/db.py` with 7-table
  schema in WAL mode. MCP server updated to query SQLite first with legacy
  fallback. `scripts/backfill_juliet_results.py` imported 21 Juliet + 7
  real-world runs. Fast mode default with resume support.
- First 68-CWE fast benchmark: 8,413 TP / 10,484 FP, 44.5% TP rate.done2026-04-20T16:58:08Z2026-03-18T00:00:00Z2026-03-18T00:00:00Z�s(
+�?555Release v0.3.19### Fixed

- ENV03-C: function-scoped clearenv() checks sanitization per-function instead
  of file-level.
- STR02-C: intra-function taint tracking (recv, fgets, fgetws, scanf, getenv,
  etc.) with cast handling and propagation.
- CWE-78 precision: 42.0% -> 45.5%, FP -330, TP -78.done2026-04-20T16:58:08Z2026-03-15T00:00:00Z2026-03-15T00:00:00Z�k'
+�/555Release v0.3.18### Added

- Fast benchmark mode: `generate_rule_cwe_map.py` generates 147 per-CWE
  manifest TOMLs. `run_juliet_parallel.sh --fast` uses per-CWE manifests.
  CWE-476 validation: noise 61.8% -> 0%, TP rate 39.5% -> 46.5%.
- INT31-C: `check_call_argument_conversion()` detects signed integer variables
  passed to functions expecting `size_t`. Covers 20 standard library functions.
  Suppressions for explicit cast, sizeof, literals, bounds check, non-negative
  guard.

### Fixed

- Various false positive reduction improvements.done2026-04-20T16:58:08Z2026-03-14T00:00:00Z2026-03-14T00:00:00Z�$&
+�!555Release v0.3.17### Added

- `collect_macro_aliases()` in const_eval.rs for `#define ALIAS identifier`
  patterns. ENV33-C, ENV03-C, STR02-C resolve aliases before matching dangerous
  functions. Windows exec/spawn variants added to ENV33-C.
- ERR33-C CWE-253: validates comparison correctness for functions classified by
  `ErrorReturnKind` (NullPointer, NegativeInt, Eof, NonZero, Count). Macro
  alias resolution + wchar_t variants. CWE-253: 178 TP, 0 FP, 100% precision.done2026-04-20T16:58:08Z2026-03-12T00:00:00Z2026-03-12T00:00:00Z�4%
+�A555Release v0.3.15### Added

- CWE-aware scoring system: 5 new metrics (FLAW-line hit rate, CWE-matched TP
  rate, per-file detection rate, noise ratio, incidental TP/FP).
  `generate_rule_cwe_map.py` produces `data/rule_cwe_map.json` (117 rules to
  144 CWEs). Integrated into analysis pipeline.
- CWE-124, CWE-126, CWE-127 mappings for ARR30-C, ARR38-C, STR31-C.done2026-04-20T16:58:08Z2026-03-12T00:00:00Z2026-03-12T00:00:00Z
',5�'�.
+�555Release v0.3.25### Added

- EXP33-C ALLOCA/alloca tracking: `alloca()` and `ALLOCA()` allocations treated
  as uninitialized memory. +52 new TPs.

### Fixed

- EXP33-C conditional init heuristic: broadened from incomplete conditionals to
  any conditional body. New `inits_share_conditional` check. +18 new TPs.
- INT31-C VRA improvement: CWE-194 TP rate 41.7% -> 56.8% (+15.1pp, -310
  FP/-31 TP).
- Juliet (68/68 CWEs): 8,420 TP / 9,371 FP, 47.3% TP rate (+0.6pp).done2026-04-20T16:58:08Z2026-03-20T00:00:00Z2026-03-20T00:00:00Z�t-
+�A555Release v0.3.24### Added

- VRA Phase 5: inter-procedural return ranges. `FunctionSummary` gains
  `return_range: Option<ValueRange>` computed during prescan. VRA transfer
  function resolves `call_expression` RHS using callee return range.
- VRA Phase 6: INT31-C migration. Full VRA integration for
  signed->unsigned, unsigned->signed, and narrowing casts. VRA-based range
  narrowing supplements syntactic `is_inside_bounds_checked_block()`.

### Changed

- Prescan reordered: macro constants collected before function summaries.
- Juliet (67/68 CWEs): 7,393 TP / 8,433 FP, 46.7% TP rate (+2.4pp vs
  v0.3.21). ~6x speedup on large non-VRA CWEs via `compute_return_ranges` flag.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�x,
+�I555Release v0.3.23### Added

- CFG-based forward value-range analysis (`value_range.rs`). Worklist algorithm
  with interval lattice, edge refinement for all comparison/compound operators,
  type-aware initial ranges, widening after 3 back-edge iterations. Computed
  once per file per function, shared across rules via `set_vra_results()`.

### Changed

- INT33-C: `divisor_provably_nonzero()` tries VRA first, falls back to
  syntactic analysis.
- INT34-C: `check_shift_operation()` tries VRA first for shift amount range.
- INT32-C: all 6 `expression_fits_in_signed` call sites use VRA-backed version.
- INT30-C: all 4 `expression_fits_in_unsigned` call sites use VRA-backed
  version.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Zj�l/
+�1555Release v0.3.26### Fixed

- EXP33-C: conditional init early-return detection. If/else-if/else chains
  where non-initializing branches have unconditional exits no longer flag as
  uninitialized. New `if_chain_covers_init_or_exit()` analysis.
- ERR33-C (CWE-253): `== 0` for NonZero functions and Count functions no longer
  incorrectly flagged.
- FIO47-C: fixed 100% FP rate (0 TP, 119 FP -> 0 FP). Root cause:
  `count_arguments()` miscounted non-data args for `sprintf`/`sscanf`/`dprintf`.
  Relaxed format validation: `%lf` valid in C99+, removed `'` flag and
  `+/space` with `%o/%u/%x` checks.
- PRE00-C: restricted from all function-like macros to only macros with
  multi-evaluation risk or side effects.
- EXP34-C: pointer function parameters default to NotNull when no
  inter-procedural call-site data exists.
- Juliet: 8,390 TP / 9,252 FP, 47.6% TP rate (+0.3pp). FIO47-C: 119 FP -> 0.
  CWE-134 TP rate 33.4% -> 47.9% (+14.5pp).
- Real-world: -5,366 violations (-1.5%). PRE00-C -4,274, EXP34-C -1,758.
  Cumulative from v0.3.5: -48,086 (-11.9%).done2026-04-20T16:58:08Z2026-03-20T00:00:00Z2026-03-20T00:00:00Z
	�P\�
��G2
+�g555Release v0.3.30### Fixed

- EXP34-C: replaced lattice join in `aggregate_callsite_null_states()` with
  count-based voting. One PossiblyNull callsite no longer poisons parameters
  with 50 NotNull callers. EXP34-C: 26,457 -> 5,290 (-80.0%) across 5
  real-world codebases.
- Juliet: 8,285 TP / 9,180 FP, 47.4% TP rate. CWE-690 TP rate 83.8% -> 94.3%
  (+10.5pp). Zero regressions.done2026-04-20T16:58:08Z2026-03-22T00:00:00Z2026-03-22T00:00:00Z�q1
+�;555Release v0.3.28### Added

- `--save-prescan FILE` / `--load-prescan FILE` CLI flags for
  serializing/deserializing `ProjectContext` to binary cache (bincode format).
  Cache sizes: ~3.6 MB for hostap (12K functions), ~2.4 MB for sqlite.
  Per-worker speedup: hostap 11.2s -> 0.8s (93%), sqlite prescan 866s -> 0s.
  New dependency: `bincode = "1.3"`.
- Persistent prescan cache at `data/prescan_cache/{codebase}.cache` with
  `--rebuild-prescan` flag for regeneration.

### Changed

- Parallel scanner: balanced subdirectory splitting via recursive
  `find_scan_units()`, prescan cache integration, prescan timeout increased
  600s -> 1800s, graceful `TimeoutExpired` fallback.done2026-04-20T16:58:08Z2026-03-21T00:00:00Z2026-03-21T00:00:00Z�10
+�;555Release v0.3.27### Added

- `rules-benchmark.toml` manifest with 13 style/recommendation rules disabled
  (zero Juliet CWE contribution, ~114K realworld violations): EXP19-C, DCL08-C,
  DCL06-C, EXP02-C, EXP14-C, EXP12-C, EXP10-C, DCL04-C, INT02-C, INT01-C,
  INT17-C, INT16-C, PRE31-C.
- Parallel sqc scanner (`scripts/sqc_parallel_scan.py`): splits codebases by
  subdirectory, runs multiple sqc processes via `ProcessPoolExecutor`,
  auto-detects parallelism, deduplicates merged JSON outputs.

### Fixed

- POS49-C: restricted from all shared struct field writes to only actual
  bit-field writes. `collect_bitfield_names()` identifies fields with
  `bitfield_clause`. 15,693 -> 107 violations (-99.3%).

### Changed

- All benchmark infrastructure updated to use `rules-benchmark.toml`.
- MCP realworld server uses parallel scanner with `rebuild_prescan` parameter.done2026-04-20T16:58:08Z2026-03-21T00:00:00Z2026-03-21T00:00:00Z��y3
+�K555Release v0.3.31### Fixed

- INT07-C: skip `char *` pointer/array declarations in
  `is_plain_char_declaration`. 96.5% of violations were pointer arithmetic.
  6,230 -> 207 (-96.7%).
- ERR33-C: fixed duplicate violation bug (standalone calls emitted via both
  paths). Suppressed printf/puts/putchar/fputs/fputc/putc, `fprintf(stderr,
  ...)`, `signal(SIG*, SIG_IGN/SIG_DFL)`, `time(&t)` with output parameter.
  Recognized `==0`/`!=0` as NULL checks. Added `putenv`/`strdup`/`strndup`.
  7,182 -> 1,807 (-74.8%).
- MSC41-C: removed overly broad substring keywords (`db`, `connect`). Strict
  word boundaries for `key`/`token`. Leading boundaries for
  `auth`/`login`/`pwd`/`database`. Always apply `looks_like_sensitive_data()`
  heuristic. Added `looks_like_sensitive_in_context()`. 3,954 -> 293 (-92.6%).
- ARR00-C: rewrote `is_array_identifier()` from text-search to AST-based
  `has_array_declaration()`. Guarded checks with array-only. Fixed
  `check_array_assignment` to skip compound assignments. 7,341 -> 2,637
  (-64.1%).
- EXP33-C: added `scanf`/`fscanf`/`sscanf` `&var` argument initialization.
  Added 15 for-each macro patterns. 4,554 -> 4,189 (-8.0%).
- Juliet: 8,156 TP / 9,180 FP, 47.0% TP rate. -129 TP from intentional printf
  suppression. Zero FP change.
- Real-world: 182,020 -> 161,893 (-20,127, -11.1%).done2026-04-20T16:58:08Z2026-03-22T00:00:00Z2026-03-22T00:00:00Z
us�}u�8
+�c555Release v0.3.36### Added

- ARR36-C CWE-469: strchr/wcschr cross-array subtraction detection.
  `PointerAnalyzer` tracks `strchr`, `strrchr`, `wcschr`, `wcsrchr`, `memchr`,
  `strstr`, `wcsstr`, `strpbrk`, `wcspbrk` return values as pointing into
  first argument. Array declarations treated as own base. Assignment expressions
  tracked for pointer origin resolution. 36/36 TP, 0 FP.
- STR03-C CWE-464: `(char)atoi()` null sentinel detection. Covers `strtol`,
  `strtoul`, `atol` with char cast. 38/38 TP, 0 FP.
- API07-C CWE-843: void* type confusion detection. Tracks `void*` assignments,
  detects dereference with incompatible cast where cast type is larger than
  source type. 40/40 TP, 0 FP.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�B7
+�]555Release v0.3.35### Added

- API07-C CWE-761: free-pointer-not-at-start detection. Tracks
  `malloc`/`calloc`/`realloc` assignments, detects `ptr++`/`ptr+=N`/`ptr--`
  modifications, flags subsequent `free(ptr)`. Handles reassignment and
  reallocation resets.

### Fixed

- EXP33-C: `extract_nested_base_ex()` recurses through nested subscript/field
  chains (`arr[0].field` -> `arr`). `MallocUninitialized` + subscript-in-chain
  -> `MallocInitialized`. `match_initializing_function()` suffix-matches wrapper
  functions (`os_memset` -> `memset`). `*zalloc()` recognized as
  zero-initializing allocator.
- ARR00-C: `find_pointer_source_array()` recursively resolves pointer
  derivation chains (depth limit 5). Eliminates FPs on `end - pos` buffer
  arithmetic.
- ERR33-C: printf-family return value checks suppressed (`fprintf`, `sprintf`,
  `snprintf`, `vprintf`, `vfprintf`, `vsprintf`, `vsnprintf`).

### Changed

- BENCHMARK_INSTALL.md: updated sqc examples from `rules-all.toml` to
  `rules-benchmark.toml`.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�.6
+�5555Release v0.3.34### Fixed

- EXP33-C critical bug: functions inside `#ifdef`/`#ifndef`/`#if` preprocessor
  blocks were silently skipped. The guard condition `node.kind() !=
  "translation_unit"` excluded all non-top-level parents. Removed incorrect skip
  condition.
- EXP33-C: field-write `MallocUninitialized` preservation re-applied. Field
  writes on malloc'd pointers no longer upgrade to `MallocInitialized`. Stack
  struct field writes still upgrade `Uninitialized` -> `Initialized`.
- Reverted `extract_field_base` nested subscript resolution (caused premature
  `Initialized` marking on first element write).
- Juliet (vs v0.3.32): TP 8,156 -> 8,300 (+144), FP 9,180 -> 9,157 (-23),
  TP rate 47.0% -> 47.5%. EXP33-C: 294/561 -> 431/559.
- Real-world (vs v0.3.32): 150,337 -> 152,590 (+2,253). EXP33-C +2,899
  (hostap +2,525) from `arr[0].field` limitation.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�
5
+�m555Release v0.3.33### Changed

- EXP33-C: complete rewrite from AST-walk to CFG-based forward dataflow
  analysis. New `init_state.rs` (~1,200 lines) with `InitState` lattice (5
  states: `Uninitialized`, `MaybeUninitialized`, `Initialized`,
  `MallocUninitialized`, `MallocInitialized`), forward worklist algorithm, and
  point queries via `get_var_info_at()`. New capabilities: branch-sensitive
  analysis, loop-aware array init, malloc content tracking, realloc wrapper
  detection, conditionally-initializing function detection, ~30 initializing
  functions with per-argument output indices, non-initializing function list,
  file-scope static variable tracking, subscript read extraction through
  `field_expression` chains.
- API00-C refinements.
- CFG `condition_range` support.
- Realworld benchmark MCP server enhancements (SQLite-first pattern,
  `get_rule_trend`, `get_project_history`).
- bench/db.py improvements.

### Removed

- Legacy shell scripts: batch_analyze_sqlite, bench_mosquitto_versions,
  compare_tools, run_juliet_multi_cwe, run_juliet_parallel, test_single_file.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z
�%t%
1y�L:
+�q555Release v0.3.38### Fixed

- EXP33-C: conditional-init, cast unwrap, and array arg fixes for real-world
  FP reduction.

### Changed

- DCL31-C/DCL07-C: removed library-specific whitelists, added `-I` include
  paths for system-installed third-party headers.done2026-04-20T16:58:08Z2026-03-24T00:00:00Z2026-03-24T00:00:00Z�"9
+�555Release v0.3.37### Fixed

- FIO30-C CWE-134 format string taint improvements. Three fixes unlock
  detection across all taint source patterns:
  - recv/recvfrom/recvmsg taint tracking: socket receive functions added to
    `process_string_manipulation_call`, handles cast expressions in buffer arg.
  - Macro alias resolution: integrated `const_eval::collect_macro_aliases` for
    `#define GETENV getenv` indirection. All function name lookups go through
    `resolve_func_name()`.
  - `get_base_variable` expression handling for `cast_expression`,
    `parenthesized_expression`, and `binary_expression`.
- Juliet (v0.3.35-v0.3.37 combined vs v0.3.34): TP 8,300 -> 8,508 (+208),
  FP 9,157 -> 9,067 (-90), TP rate 47.5% -> 48.4% (+0.9pp). Zero regressions.
- Real-world: 152,590 -> 153,568 (+978, +0.6%). ARR36-C +2,727 (strchr fires
  broadly on real-world pointer arithmetic). Excluding ARR36-C, net -1,749 FP.
- Source commits pinned in BENCHMARK_INSTALL.md for all 5 codebases.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z��5<
+�C555Release v0.3.42### Fixed

- const_eval.rs: double-nested parens now handled via loop-based stripping.
- DCL02-C: function-scope declarations checked via `init_declarator` +
  root-node traversal.
- EXP40-C: per-scope const variable tracking (was only double-pointer).
- STR34-C: `init_declarator` path + parameter tracking + per-function scoping.
- CON34-C: thread-unsafe function detection via banned function list.
- CON07-C: unprotected shared variable access via file-scope global collection.
- MSC38-C: test reclassified to SIG30-C (already detected).
- ERR01-C: errno-setting function detection for strtol/sqrt.
- MEM10-C: `sizeof(pointer)` misuse detection in alloc/memory calls.
- POS50-C: TOCTOU race detection (`stat()` then `fopen()` on same path).
- DCL17-C: K&R style function declaration + empty param list detection.
- CWE-480 (EXP16-C): AST-based function name collection + NULL recognition.
- CWE-482 (EXP16-C): dead comparison detection.
- CWE-367 (FIO01-C): `access()`/`stat()` + `open()` TOCTOU detection.

### Changed

- Benchmark analyzer: `parse_c_file_sections()` now performs call-graph analysis
  to reclassify helper functions defined outside `#ifndef OMITBAD`/`#ifndef
  OMITGOOD` guards. +52 TP, +5 FP across all runs. 18 historical runs
  retroactively corrected (969 total violations reclassified).
- Coverage gate raised from 79% to 80%. Current: 80.06%.done2026-04-20T16:58:08Z2026-03-25T00:00:00Z2026-03-25T00:00:00Z�L;
+�q555Release v0.3.39### Fixed

- ARR36-C real-world FP reduction (-82%). Per-function scoping fixes
  cross-function variable name collisions. Identifier chain resolution follows
  `variable_arrays` for known identifiers. Compound assignment (`+=`/`-=`) no
  longer overwrites array base. `os_*` wrapper recognition for `os_strchr`,
  `os_strstr`, `os_strrchr`, etc. Allocation functions get unique per-call
  bases. Address-of vs dereference distinction. File-scope + bare declaration
  tracking.
- Juliet: zero delta (8,508 TP, 9,067 FP, 48.4% TP rate).
- Real-world: 157,688 -> 153,156 (-4,532, -2.9%). ARR36-C 4,685 -> 829
  (-3,856, -82.3%).done2026-04-20T16:58:08Z2026-03-24T00:00:00Z2026-03-24T00:00:00Z
�**
��s=
+�?555Release v0.3.43### Added

- MSC12-C dead code / no-effect detection (CWE-561) with 4 detection patterns:
  no-effect expression statements (comparisons as statements, bitwise/shift with
  discarded result, wasted dereferences, bare identifiers), duplicate conditions
  in if/else-if chains, redundant sub-expressions in logical operators, and
  meaningless `continue` at end of loop body. Exceptions for `(void)` casts,
  function calls in conditions, and function calls in logical sub-expressions.
  12 wiki tests (5 fail + 7 pass).
- Wildcard suppression in `.sqc-suppress.toml` via `[[wildcard]]` TOML section.
  Supports `file_glob`, `rule`, `rule_glob`, `function_prefix`, and
  `justification` fields (all ANDed). Hash-matched suppressions take priority.
  Glob patterns compiled to regex at load time.done2026-04-20T16:58:08Z2026-03-25T00:00:00Z2026-03-25T00:00:00Z,�1>
+�;555Release v0.3.44### Changed

- ENV33-C: taint-source heuristic suppression for system()/popen(). Functions
  with no tainted input sources (recv, fgets, getenv, scanf, etc.) and no
  pointer/string parameters are suppressed. String literal arguments and
  cross-function sinks with char* params remain flagged. Macro aliases
  (#define SYSTEM system) resolved via project context.
- FLP03-C: removed overbroad check_fp_conversion() that flagged all
  float/double cast expressions. Added divide-by-zero guard detection:
  fabs/fabsf/fabsl magnitude checks, != 0, > 0, < 0 conditions suppress
  guarded divisions.

### Results

- Juliet TP rate: 48.4% -> 51.1% (+2.7pp). **P0 milestone achieved.**
- Total: TP 8,508->8,383 (-125), FP 9,067->8,020 (-1,047). 8.4:1 FP:TP ratio.
- ENV33-C: -818 FP/-139 TP (5.9:1). FP rate 58%->24.6%.
- FLP03-C: -234 FP/-70 TP (3.3:1). FP rate 69%->58.2%.
- CWE-78: TP rate 45.5%->63.0% (+17.5pp).
- CWE-369: TP rate 33.6%->36.9% (+3.3pp).
- Bonus: CWE-367 +15 TP, CWE-479 +36 TP, CWE-480 +10 TP, CWE-482 +7 TP
  (from v0.3.43 MSC12-C/wildcard rules newly matched to CWEs).
- Realworld: 154,598->154,603 (+5, flat). FLP03-C -164 (-43%, clean).
  ENV33-C -1. EXP16-C +160 regression in sqlite (unrelated, needs investigation).done2026-04-20T16:58:08Z2026-03-26T00:00:00Z2026-03-26T00:00:00Z
44�I?
+�k555Release v0.3.46### Changed

- P3214-driven FP reduction: 17 rules improved across 5 rounds. Validated
  against P3214 Secondary MCU firmware (8051, Keil C51). Zero Juliet
  regressions across both v0.3.45 and v0.3.46 benchmark runs (51.1% held).
- DCL18-C: skip zero with type suffix (0U, 0u, 0L, 0UL) — not octal confusion.
- DCL08-C: skip enums with consecutive integer sequences (0,1,2 or 1,2,3).
- PRE02-C: skip do{...}while(0) macros and (type)(expr) cast-wrapped macros.
- EXP35-C: arrow operator (->) means pointer return, not temporary struct.
- INT36-C: distinguish bitwise AND (&) from address-of; skip *ptr dereference.
- EXP07-C: skip bit-position shifts (0-7) — standard bit manipulation idioms.
- DCL19-C: skip volatile variables (ISR-shared) and STATIC macro declarations.
- INT17-C: skip hex constants ≤0xFFFF — portable across all C implementations.
- EXP10-C: skip || and && operators — C guarantees left-to-right evaluation.
- PRE08-C: skip self-matches (same filename compared to itself).
- DCL30-C: only flag pointer/array locals assigned to globals, not integer copies.
- EXP02-C: treat func()->field as pure getter read, not a side effect.
- INT34-C: recognize modulo expression (% N) as shift-amount bounds check.
- API00-C: recognize any token containing "STATIC" as static-equivalent macro
  (covers LIN_STATIC_INLINE, MY_STATIC_FUNC, etc.).
- EXP14-C: only flag ~ (bitwise NOT) and << (left shift) for promotion risk;
  skip &, |, ^, >> which are safe with unsigned operands.
- DCL17-C: skip simple volatile reads/writes; only flag compound operations
  (++, --, +=, -=) where read-modify-write may be non-atomic.
- INT14-C: skip 2-char loop index variables (bi) for mixed bitwise+arithmetic.
- INT30-C: skip narrow unsigned types (uint8_t, uint16_t) — promoted to int
  (≥32-bit) before arithmetic, cannot overflow promoted type. Preserved actual
  declared type from type_map instead of returning generic "unsigned".

### Results

- Juliet: 8,383 TP / 8,020 FP, 51.1% TP rate (unchanged from v0.3.44).
  Zero delta on all 69 CWEs across both v0.3.45 and v0.3.46 runs.
- P3214 Secondary MCU: 1,372 → 476 violations (-896, -65.3%).done2026-04-20T16:58:08Z2026-03-28T00:00:00Z2026-03-28T00:00:00Z
ii�A
+�555Release v0.3.48### Fixed

- analyze: resolve_includes now runs even when --load-prescan is set. Previously
  -I include paths were silently ignored during parallel scans (sqc_parallel_scan.py),
  causing DCL31-C/DCL07-C to flag functions declared in system headers.
  Realworld impact: DCL31-C+DCL07-C 14,657 → 3,772 (-10,885, -74%).
  Overall: 154,603 → 142,185 (-12,418, -8.0%).
- MEM04-C: sizeof() expressions now recognized as always non-zero in
  is_potentially_zero(). malloc(sizeof(int)) no longer falsely flagged.
- FIO10-C: POSIX rename() with return value check accepted as compliant.
  On POSIX, rename() atomically replaces the destination, so checking the
  return value is sufficient handling (task 18).

### Added

- test infra: `// sqc-test: prescan` marker for .c test files (task 19).
  build.rs detects the marker and generates tests that build intra-file
  prescan context (function summaries + call-site null states + CFGs) before
  calling rule.check(). Enables testing inter-procedural analysis patterns
  within a single translation unit.
- prescan: added prescan_single_tree() — builds ProjectContext from a single
  parsed tree for use in integration tests.
- analyze: collect_function_cfgs() now public for test use.
- EXP34-C: 3 intra-file null deref tests moved from pass/ to fail/ using
  prescan marker (func_param, list_null, callback_null). All correctly detect
  violations via call-site null state propagation.
- FIO10-C: added pass/testcases_posix_rename.c for POSIX error-checked rename.

### Changed

- WIN30-C: NULL security attributes test reclassified as out of scope.
  CreateFileA/CreatePipe security attributes are not related to WIN30-C
  (alloc/dealloc pairing). Test comment updated.done2026-04-20T16:58:08Z2026-03-29T00:00:00Z2026-03-29T00:00:00Z�~@
+�U555Release v0.3.47### Changed

- FIO24-C: added double-close detection for fclose/close/CloseHandle/closesocket.
  Tracks closed variables per function; flags duplicate close without intervening
  reopen. Resolves CWE-675 (224 Juliet files, 93.0% TP rate).
- POS37-C: added unchecked Windows privilege API return value detection
  (ImpersonateNamedPipeClient, RpcImpersonateClient, ImpersonateLoggedOnUser,
  CoImpersonateClient, ImpersonateSelf, SetThreadToken). Resolves CWE-273
  (36 Juliet files, 100% TP rate).
- DCL30-C: skip return of pointer to static local address. When a local pointer
  is assigned from &static_var[i], returning it is safe. Eliminates CWE-562 FP.
- MSC37-C: skip phantom functions from preprocessor-broken else-if chains.
  tree-sitter misparses disconnected else-if as function definitions.
- MSC37-C: recognize else_clause nodes in all-branches-return check. if/else
  where both branches return was falsely flagged.
- INT33-C: recurse into nested blocks for zero-guard detection. Guards inside
  outer if-blocks (e.g., null-check wrapping a zero-check) now recognized.
- INT34-C: recognize (mask >> var) != 0 loop condition as shift-amount bound.
  while ((mask >> bi) != 0u) implicitly constrains bi to < bit width.
- rule_cwe_map: added MSC12-C → CWE-561 mapping.
- INT32-C: scope type_map per function definition. Two functions declaring
  same variable name with different types (float X_pred vs int32_t X_pred)
  no longer collide — each function gets its own type map.
- DCL06-C: accept float zero literals (0.0f, 1.0f, etc.) as non-magic.
  Strip float/unsigned suffixes before checking acceptable values.
- FLP02-C: skip equality comparisons against exact zero (0.0, 0.0f). Zero
  is exactly representable in IEEE 754 — divide-by-zero guards are valid.
- bench/analyzer.py: fixed CSV parser regex for version:HASH suffix that broke
  line number extraction when commit hash started with a digit.

### Results

- 3 formerly zero-detection CWEs now detecting: CWE-675 (80 TP, 93.0%),
  CWE-273 (72 TP, 100%), CWE-562 (2 TP, 66.7% → 100% after DCL30-C fix).done2026-04-20T16:58:08Z2026-03-29T00:00:00Z2026-03-29T00:00:00Z
]
��	�P]:�D
+�555Release v0.3.51### Added

- MSC07-C: unreachable c�pF
+�9555Release v0.3.56### Added

- EXP34-C: variant 63 pointer-to-pointer null propagation. When caller passes
  &data where data=NULL, prescan tracks the pointee null state through
  callsite_param_pointee_null_states in FunctionSummary. Null state analysis
  seeds "*paramName" into initial state; transfer function propagates *ptr
  dereference. +6 TP, 0 FP across all 6 data types in CWE-476 variant 63.
- EXP34-C: variant 64 void pointer cast propagation. Cast expressions
  (dataPtr = (int**)dataVoidPtr) preserve "*" state keys. Parenthesized
  dereference form (*dataPtr) unwrapped for variant 63/64. +6 TP, 0 FP.
- EXP34-C: variant 66 array element null propagation. Prescan tracks
  subscript_expression assignments (arr[idx] = expr) as "arr.idx" dotted
  keys, reusing the struct field mechanism. Transfer function handles
  subscript_expression lookups. +6 TP, 0 FP.
- 6 new EXP34-C regression tests for variants 63, 64, and 66.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�E
+�{555Release v0.3.52### Changed

- EXP33-C: partial init array detection. Track allocation element count from
  malloc/ALLOCA calls; compare for-loop bound vs allocation count. If loop
  bound < allocation count, content stays MallocUninitialized (partial init).
  Detects 6 partial_init array types across all 18 Juliet variants (+102 TP).
- init_state: dead-branch elimination for constant conditions. Collect
  file-scope static [const] constants; evaluate branch conditions at analysis
  time; skip impossible edges. Handles literal (if(1)), const expr (if(5==5)),
  and static const/var conditions (if(STATIC_CONST_TRUE), if(staticTrue)).
  Eliminates opaque predicate FPs in Juliet variants 02-07 (-198 FP).
- const_eval: added comparison operators (==, !=, <, >, <=, >=) to
  try_evaluate_expr(). Enables constant condition evaluation.
- prescan: collect global constants from prescanned directories. Non-static
  const/non-const globals with compile-time values stored in
  ProjectContext.global_constants. Merged with macro_constants into EXP33-C
  file_scope_constants for cross-file dead-branch elimination (variants 09-14).

### Results

- CWE-457: 422 TP/715 FP (37.1%) → 524 TP/517 FP (50.3%). +102 TP, -198 FP,
  +13.2pp TP rate. Per-file detection 68.5% → 85.1%.
- Overall: 51.6% → 51.9% (+0.3pp). +101 TP, -200 FP. Zero regressions.done2026-04-20T16:58:08Z2026-03-31T00:00:00Z2026-03-31T00:00:00Z�D
+�555Release v0.3.51### Added

- MSC07-C: unreachable code detection (BRULE-034 gap). AST-based detection of
  statements after unconditional return/break/continue/goto and noreturn calls
  (exit, abort, _Exit, longjmp, quick_exit, thrd_exit, ExitProcess, ExitThread).
  Reports only first unreachable statement per terminal. CWE-561 mapping.
  11 tests: 7 fail, 4 pass.
- MSC04-C: bounded recursion suppression. If a recursive function has a
  parameter-dependent base case (conditional return checking a parameter),
  the violation is suppressed. CWE-674: 2 TP/2 FP → 1 TP/0 FP (100% TP rate).done2026-04-20T16:58:08Z2026-03-30T00:00:00Z2026-03-30T00:00:00Z�8C
+�I555Release v0.3.50### Changed

- prescan: detect (type *)param cast pattern as dereference in function
  summaries. Enables EXP33-C variant 64 (void* → cast → deref) detection.
  CWE-457: +10 TP, +10 FP (void pointer indirection types).done2026-04-20T16:58:08Z2026-03-30T00:00:00Z2026-03-30T00:00:00Z�@B
+�Y555Release v0.3.49### Changed

- EXP33-C: cross-file inter-procedural init tracking via set_project_context().
  build_read_only_deref_fns(): dereferences_params - modifies_params.
  InitAnalysisConfig.read_only_deref_fns prevents &var from being marked
  initialized when callee only reads through the pointer.
  check_cross_file_uninit_calls: flags calls passing &uninit_var to functions
  that read the pointed-to value (variant 63 pattern).
  CWE-457: +10 TP, +10 FP (10 simple scalar/pointer types).done2026-04-20T16:58:08Z2026-03-30T00:00:00Z2026-03-30T00:00:00Z
����y�:H
+�M555Release v0.3.58### Added

- SIG31-C + SIG34-C: CWE-364 signal handler race condition detection. Mapped
  existing rules to CWE-364. 54 TP/51 FP (51.4%).
- MSC12-C: CWE-398 poor code quality — extended with 7 new patterns: empty
  control flow bodies, empty function bodies, standalone empty blocks, empty
  switch cases, stray semicolons, arithmetic no-effect, self-assignment.
  181 TP/2 FP (98.9%).
- MSC13-C: new rule for CWE-563 unused variable detection. Detects unused
  initialized/uninitialized local variables and dead stores. Struct field write
  not counted as read. 289 TP/0 FP (100%).

### Results

- Juliet v0.3.58: 23,351 TP / 21,021 FP — 52.6% TP rate (+0.5pp from v0.3.56).
  +524 TP, +53 FP. Zero regressions on 70 existing CWEs.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�+G
+�/555Release v0.3.57### Fixed

- STR03-C, INT00-C, INT16-C: resolved 3 remaining implementation bugs.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z��I
+�a555Release v0.3.59### Added

- MSC42-C: new rule for CWE-327 broken/weak crypto algorithm detection. Blacklist:
  CALG_DES, CALG_3DES, CALG_RC5, CALG_RC2, CALG_RC4 in CryptDeriveKey/CryptGenKey.
  Also detects weak OpenSSL ciphers (EVP_des_*, DES_*, EVP_rc4, EVP_rc2_*).
  54 TP/0 FP (100%).
- WIN05-C: new rule for CWE-272 unquoted CreateProcess path detection. Two
  sub-patterns: unquoted paths with spaces in CreateProcessA/W/AsUser (path
  interception), HKEY_LOCAL_MACHINE in registry operations (excessive privilege).
  254 TP/64 FP (79.9%).
- ARR39-C: CWE-468 incorrect pointer scaling fix. Case-insensitive pointer name
  matching, added "pointer" keyword. Detects double-scaling pattern.
  19 TP/32 FP (37.3%).
- MSC41-C: CWE-259 hard-coded password improvements. Added "logon" to sensitive
  function keywords, added #define macro detection for sensitive-named macros.
  0 TP/0 FP on Juliet (tree-sitter preprocessor limitation).

### Results

- Juliet v0.3.59: 23,678 TP / 21,117 FP — 52.9% TP rate (+0.3pp from v0.3.58).
  +327 TP, +96 FP. 74 CWEs covered (up from 70).done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z
B��
B�IQ
+�k555Release v0.3.67### Fixed

- resolve_local_var_range returned first assignment instead of last. For
  `data = 0; data = INT_MAX; result = data + 1;`, resolved data to [0,0]
  instead of [INT_MAX,INT_MAX], causing INT32-C/INT30-C false suppression.
- Unevaluable assignments (data = rand(), fscanf(&data)) left stale range
  from prior assignment. New stmt_modifies_var() invalidates range on
  unevaluable assignment or pointer-modifying call.
- Juliet benchmark runner: -d JULIET_BASE prescanned 58K files per CWE
  (~4 min each × 74 CWEs). Changed to CWE-scoped prescan and -j 1.
  Benchmark time: hours → 7 min.

### Results

- CWE-190: 1,763→2,322 TP (+559), per-file 35.0%→43.3% (+8.3pp)
- CWE-191: 1,563→1,973 TP (+410), per-file 40.5%→47.7% (+7.2pp)
- CWE-680: 404→559 TP (+155), TP rate 48.7%→51.4% (+2.7pp)
- Overall: +1,144 TP, +1,290 FP. TP rate 53.6%→53.3% (-0.3pp).done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�SL
+�555Release v0.3.62### Fixed

- Resolved all 5 pre-existing test failures (CON08-C, DCL20-C, INT08-C, EXP15-C).
  Zero test failures remain.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�K
+�	555Release v0.3.61### Added

- Man page (`docs/sqc.1`) covering all 16 CLI options, exit codes, rules manifest
  and suppression file config, 7 usage examples, and cross-references.
  View with: `man -l docs/sqc.1`.
- Test coverage gate raised from 80% to 81% (1,350 additional lines covered).
  75+ new `.c` test files across 10 rules.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�
P
+�s555Release v0.3.66### Added

- LPT file-size scheduling for parallel analysis. Graham's LPT heuristic
  (1969): files sorted by size descending, dispatched via rayon par_bridge()
  (demand-driven). Reduces worst-case runtime variance by 52-99% and improves
  CPU efficiency from 83% to 96% on skewed workloads (sqlite, curl).done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�O
+�W555Release v0.3.65### Fixed

- Sequential mode (`-j 1`) now creates a fresh RuleRegistry per file, matching
  parallel mode behavior. Previously, rules with RefCell state (DCL31-C, DCL07-C,
  ERR01-C, ERR33-C, ENV33-C, ENV03-C, ENV02-C, API00-C, INT30-C, SIG00-C,
  SIG02-C, WIN03-C, WIN05-C, WIN30-C) accumulated data across files, causing
  false suppressions in later files. Sequential and parallel modes now produce
  identical output.done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�YN
+�555Release v0.3.64### Added

- Built-in parallel analysis with rayon (`-j`/`--jobs` flag). Default `-j 0`
  auto-detects CPU count. Per-file parser and rule registry instances avoid
  RefCell/Send issues. Results sorted deterministically. Python parallel wrapper
  (`scripts/sqc_parallel_scan.py`) removed — no longer needed.
  Performance: curl 9m38s → 59s (9.8x), mosquitto 2m42s → 34s (4.8x).done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�M
+�y555Release v0.3.63### Added

- BRULE-065: pointer indirection depth check. Flags declarations with excessive
  pointer indirection (e.g., `int ***p`). Handles parameter declarations,
  init_declarators, and nested declarator chains. First non-CERT rule —
  established `src/rules/brules/` directory structure.
- `expected_fail/` test directory for known analysis limitations. build.rs
  generates tests with `#[ignore = "Known limitation: ..."]`. Run with
  `cargo test -- --ignored` to check for improvements.

### Fixed

- MSC13-C: compound assignment LHS (`+=`, `-=`, etc.) now recognized as a read.
  `is_read_context()` checks assignment operator type; `collect_all_assignments()`
  only collects simple `=` assignments.
- INT34-C: AST-based unsigned type detection from function parameter declarations.
  Replaced string matching with `decl_has_unsigned_var()` and correct
  `find_parameter_list()` traversal.
- Number of additional fixes (see commit history).done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z
���+V
+�/555Release v0.3.78### Changed

- STR31-C: is_string_memcpy() now checks next 3 lines for manual null-termination
  (dest[...] = '\0').  If programmer explicitly null-terminates after memcpy,
  STR31-C concern is addressed; buffer overflow is a separate ARR38-C concern.

### Benchmark

- −306 FP, −220 TP (1.4:1 ratio). CWE-126 +1.2pp, CWE-121 +0.3pp.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z�EU
+�c555Release v0.3.77### Changed

- ARR38-C: is_dangerous_size_calculation() exempts strlen(x)*sizeof(T) —
  legitimate byte count, not sizeof double-scaling.

### Benchmark

- −1012 FP, −728 TP (1.4:1 ratio). CWE-121 48.8% → 49.9%, CWE-126 +1.5pp.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z�/T
+�7555Release v0.3.76### Changed

- STR31-C: find_buffer_size() follows `data = dataBuffer` pointer aliases
  (function-scoped, excludes pointer arithmetic).  Recognizes ALLOCA(N*sizeof(T))
  and ALLOCA(N).  Array size arithmetic (N*M, N+M, N-M) also supported.

### Benchmark

- −272 FP, −8 TP (34:1 ratio). CWE-127 55.6% → 64.4%, CWE-124 52.1% → 55.0%.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z�RS
+�}555Release v0.3.75### Added

- bench/competitors.py: benchmark runner for Infer and Frama-C on Juliet.
  Runs competitor tools on overlapping CWE subsets, classifies TP/FP using
  Juliet ground truth (OMITBAD/OMITGOOD guards + procedure names).
  Infer: 11 CWEs (memory safety). Frama-C EVA: 6 CWEs (value analysis).
- playbooks/install-static-analyzers.yml: Ansible playbook for installing
  Infer v1.2.0 (prebuilt) and Frama-C 32.0 Germanium (via opam) on Debian 12.
- docs/benchmark-setup.rst: Infer and Frama-C installation instructions.
- docs/benchmark-running.rst: competitor benchmark usage, timing, classification.
- paper/sqc.tex: preliminary Infer/Frama-C comparison data (CWE-476 pilot).
- PLAN.md: split task 33 into 33a (Infer) and 33b (Frama-C) with run commands.done2026-04-20T16:58:08Z2026-04-03T00:00:00Z2026-04-03T00:00:00Z�dR
+�!555Release v0.3.74### Added

- is_full_range_return_function() denylist in std_functions.rs: atoi, atol,
  atoll, strtol, strtoul, strtoll, strtoull, strtoimax, strtoumax, wcstol,
  wcstoul, wcstoll, wcstoull, wcstoimax, wcstoumax, rand, random, lrand48,
  mrand48, rand_r, RAND32, ntohl, ntohs. Functions whose return values can
  span the full integer range are no longer suppressed by the opaque
  increment heuristic in INT32-C and INT30-C.
- resolve_identifier_call_name() in INT32-C/INT30-C: traces the callee
  function name through switch, case, for, while, if, compound, and preproc
  blocks. Enables the denylist check for deeply nested call assignments.
- VRA collect_local_decl_types(): records declared types for uninitialized
  local variables (e.g. `int data;`). Prevents fallback to [i64::MIN,
  i64::MAX] when the variable is later assigned from an unevaluable call.
- VRA local_types lookup in process_expression_range(): uses declared type
  as fallback when existing VRA entry has no type info.

### Fixed

- INT32-C/INT30-C: is_small_increment_of_opaque no longer blanket-suppresses
  `atoi(buf) + 1`, `rand() + 1`, and similar patterns. Known full-range
  functions bypass suppression. Local functions with wide VRA return ranges
  also bypass. strlen()+1 and other bounded-return patterns remain suppressed.
- VRA: `int data; data = atoi(buf);` now correctly uses [INT_MIN, INT_MAX]
  instead of [i64::MIN, i64::MAX] for the fallback range. Fixes incorrect
  VRA suppression of overflow checks for uninit-declared variables.

### Results

- CWE-190: 2,322→2,538 TP (+216), FP -6. TP rate 45.1%→47.4% (+2.3pp).
- CWE-191: 1,973→2,091 TP (+118), FP -6. TP rate 44.0%→45.5% (+1.5pp).
- CWE-680: 559→617 TP (+58), FP unchanged. TP rate 51.4%→53.9% (+2.5pp).
- Overall: +392 TP, -12 FP. TP rate 54.4%→54.8% (+0.4pp). Per-file 45.4%→45.7%.
- Zero CWE regressions. INT32-C: +360 TP / -12 FP (30:1 improvement ratio).done2026-04-20T16:58:08Z2026-04-03T00:00:00Z2026-04-03T00:00:00Z
�44Rc���W
+�555Release v0.3.79### Changed

- STR31-C: get_memset_content_length() scans enclosing function for
  memset/wmemset initialization + null-termination pattern.  Infers strlen(data)
  from fill count.  Max-across-branches for control flow variants.

### Benchmark

- −204 FP, 0 TP (pure FP elimination). CWE-121 +1.4pp, CWE-122 +1.7pp.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z��:[
+�M555Release v0.3.83### Changed

- INT32-C/INT30-C: VRA now consulted for increment/decrement operations.
  check_increment_decrement() uses expression_fits_in_signed/unsigned_vra()
  to suppress data++ when VRA proves the operand is safely within bounds.
- const_eval: try_evaluate_range() handles update_expression nodes (++/--)
  by resolving the argument range and adding/subtracting 1.
- const_eval: try_evaluate_text() resolves sizeof(type) via resolve_sizeof_type()
  and sizeof(variable) conservatively as 1 (sizeof >= 1 on all platforms).
  Enables CHAR_ARRAY_SIZE = (3 * sizeof(data) + 2) macro resolution.
- CWE-190: 47.4% → 58.6% (+11.2pp). CWE-191: 45.5% → 53.9% (+8.4pp).
- Overall: -2,760 FP, -1,388 TP. TP rate 56.8% → 59.0% (+2.2pp).done2026-04-20T16:58:09Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�tZ
+�A555Release v0.3.82### Changed

- CFG: constant condition pruning for if(0)/if(1)/while(1)/for(;;).
  Only the feasible branch edge is emitted, eliminating infeasible-path FPs.
  Also evaluates literal comparisons (5==5, 5!=5) in conditions.
- null_state: walk switch_statement bodies for declarations and assignments.
  Previously the switch was treated as a single opaque statement in the CFG.
- EXP34-C: AST-level null guard fallback — walk ancestors for enclosing
  if(var != NULL) blocks to suppress dereferences inside null guards that
  the CFG cannot model (e.g., inside switch case bodies).
- API00-C: relay function suppression — skip validation warning when a
  pointer parameter is only passed to callees that check for null.

### Benchmark

- Overall: +3 TP, −378 FP (56.3% → 56.8%). Zero regressions.
- CWE-476: +3 TP, −70 FP (50.8% → 56.3%).
- CWE-690: −38 FP (94.6% → 100.0% TP rate).
- Spillover: CWE-195 −150 FP, CWE-369 −60 FP, CWE-680 −30 FP.
- Per-rule: INT31-C −180 FP, EXP34-C −90 FP, INT33-C −60 FP, API00-C −18 FP.done2026-04-20T16:58:08Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�lY
+�1555Release v0.3.81### Changed

- ARR38-C: extract_strlen_from_sizeof_expr() helper extracts strlen/wcslen
  argument from strlen(x)*sizeof(T) patterns.  Added to check_buffer_size_mismatch
  and check_string_size_parameter: compares source vs dest buffer sizes.
  When source > dest, flags overflow (recovers TPs lost by Fix 2 blanket exemption).

### Benchmark

- +200 TP, +48 FP (4.2:1 ratio). CWE-121 54.3% → 55.7%.done2026-04-20T16:58:08Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�+X
+�/555Release v0.3.80### Changed

- ARR38-C: is_size_within_known_buffer() helper — when check_size_exceeds_buffer
  confirms size fits, skip is_hardcoded_large_size/count heuristics.
  Applied to check_string_size_parameter, check_buffer_function,
  check_wide_string_function.

### Benchmark

- −272 FP, −48 TP (5.7:1 ratio). CWE-121 51.6% → 54.3%.done2026-04-20T16:58:08Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z
����������raP?.��������sbQ)C5
�
�
�
�
�
�
�
�
�
c
W
}
o
/
#
I
;�

���������^Rwj*D6�������~r��JdV <.
�
�
�
�
�
�
�
�
r
d
�
~
<
0
V
H

"
	�	�	�	�	�	�	�	�	�	h	�	t	@	Z	L		2	$�		��������yj]N?2#���������uhYJ;,���������zm^O@1"���������p8TE
)���������_{l4PA	�%������{��PlA]	2�#�������bS�s$D5Wrelease�Vchanged�Vbenchmark���Vv0.3.78�Vrelease�Uchanged�Ubenchmark��xUv0.3.77�Urelease�Tchanged�Tbenchmark��:Tv0.3.76�Trelease�Sadded��Sv0.3.75�Srelease�Rresults�Rfixed�Radded���Rv0.3.74�Rrelease�Qresults�Qfixed���Qv0.3.67�Qrelease�Padded�Pv0.3.66�Prelease��EOfixed��8Ov0.3.65�Orelease�Nadded��
Nv0.3.64�Nrelease�Mfixed�Madded���Mv0.3.63�Mrelease�Lfixed���Lv0.3.62�Lrelease�Kadded��Kv0.3.61�Krelease�Jresults�Jadded��EJv0.3.60�Jrelease�Iresults�Iadded��Iv0.3.59�Irelease�Hresults�Hadded���Hv0.3.58�Hrelease�Gfixed�Gv0.3.57�Grelease���Fadded��{Fv0.3.56�Fadded�Ev0.3.52�Eresults�Erelease�Echanged�Dv0.3.51�Drelease�Dadded�Cv0.3.50�Crelease�Cchanged�Bv0.3.49�Brelease�Bchanged�Av0.3.48�Arelease�Afixed�Achanged�Aadded�@v0.3.47�@results�@release�@changed�?v0.3.46�?results�?release�?changed�>v0.3.44�>results�>release�>changed�=v0.3.43�=release�=added�<v0.3.42�<release�<fixed�<changed�;v0.3.39�;release�;fixed�:v0.3.38�:release�:fixed�:changed�9v0.3.37�9release�9fixed�8v0.3.36�8release�8added�7v0.3.35�7release�7fixed�7changed�7added�6v0.3.34�6release�6fixed�5v0.3.33�5changed�5removed�5release�4fixed
4v0.3.32~
4release}3fixed|
3v0.3.31{
3releasez2fixedy
2v0.3.30x
2releasew
1changedv1addedu
1v0.3.28t
1releases0fixedr
0changedq0addedp
0v0.3.27o
0releasen/fixedm
/v0.3.26l
/releasek.fixedj.addedi
.v0.3.25h
.releaseg
-changedf-addede
-v0.3.24d
-releasec
,changedb,addeda
,v0.3.23`
,release_+fixed^
+v0.3.22]
+release\*added[
*v0.3.21Z
*releaseY
)changedX
)v0.3.20W
)releaseV(fixedU
(v0.3.19T
(releaseS'fixedR'addedQ
'v0.3.18P
'releaseO&addedN
&v0.3.17M
&releaseL%addedK
%v0.3.15J
%releaseI$fixedH
$v0.3.14G
$releaseF#fixedE#addedD
#v0.3.13C
#releaseB"fixedA"added@"v0.3.8?
"release>!added=!v0.3.5<
!release; fixed: v0.3.39
 release8fixed7
v0.2.256
release5fixed4
v0.2.223
release2fixed1added0
v0.2.21/
release.fixed-added,
v0.2.20+
release*fixed)
v0.2.17(
release'added&
v0.2.16%
release$fixed#added"
v0.2.15!
release fixed
changedadded
v0.2.13
release!plan-id:71!plan-id:70!plan-id:69!plan-id:68!plan-id:67!plan-id:66!plan-id:65!plan-id:64!plan-id:63!plan-id:62!
plan-id:61!plan-id:60!plan-id:59!
plan-id:53
!	plan-id:51!plan-id:49!plan-id:47
!plan-id:37	!plan-id:27!plan-id:20deferred!plan-id:10deferredplan-id:9
	deferred
		plan-id:8
x��i\M>1"���������teXI:- 
�
�
�
�
�
�
�
�
�
t
e
V
G
:
-


	�	�	�	�	�	�	�	�	w	h	Y	H	9	*	��	�����pa��2#RC�������m^�~3$O@������~o��@1`Q�"�����w��IhX
:*��������\M}m;)���vT+	����_=����������s�gRC.������ostics_#�performance^build]!A~fp-reduction,cert-c,exp15c\!A
�build`#�diagnostics_#�performance^build]!A~fp-reduction,cert-c,exp15c\!A}fp-reduction,cert-c,pre07c[!A|fp-reduction,cert-c,exp02cZ!A{fp-reduction,cert-c,arr39cY!Azfp-reduction,cert-c,pre10cX!Ayfp-reduction,cert-c,flp00cW!Axfp-reduction,cert-c,msc37cV!Awfp-reduction,cert-c,mem05cU(Ovfp-reduction,cert-c,exp33c,arr00cT!Aufp-reduction,cert-c,mem30cS(Otfp-reduction,cert-c,dcl07c,dcl31cR(Osfp-reduction,cert-c,int32c,int10cQ+Urint31c,fp-reduction,cert-c,benchmarkP!pplan-id:49OobenchmarkN!nplan-id:49M!mplan-id:49L!lplan-id:49KkchangedJkbenchmarkIkv0.3.104HkreleaseGjchangedFjbenchmarkEjv0.3.103DjreleaseCichangedBibenchmarkAiv0.3.102@irelease?hchanged>hbenchmark=hv0.3.101<hrelease;gchanged:gv0.3.1009grelease8fchanged7fbenchmark6fv0.3.995frelease4echanged3ebenchmark2ev0.3.981erelease0dchanged/dbenchmark.dv0.3.97-drelease,cchanged+cbenchmark*cv0.3.93)crelease(bchanged'bbenchmark&bv0.3.92%brelease$achanged#abenchmark"av0.3.91!arelease `task`changed`v0.3.90`release_changed_added_v0.3.87_release^changed^benchmark^v0.3.86^release]changed]v0.3.85]release\changed\v0.3.84\release[changed
[v0.3.83[releaseZchanged
Zbenchmark	Zv0.3.82ZreleaseYchangedYbenchmarkYv0.3.81YreleaseXchangedXbenchmarkXv0.3.80Xrelease�Wchanged�Wbenchmark�Wv0.3.79�Wrelease�Vv0.3.78�Vrelease�Vchanged�Vbenchmark�Uv0.3.77�Urelease�Uchanged�Ubenchmark�Tv0.3.76�Trelease�Tchanged�Tbenchmark�Sv0.3.75�Srelease�Sadded�Rv0.3.74�Rresults�Rrelease�Rfixed�Radded�Qv0.3.67�Qresults�Qrelease�Qfixed�Pv0.3.66�Prelease�Padded�Ov0.3.65�Orelease�Ofixed�Nv0.3.64�Nrelease�Nadded�Mv0.3.63�Mrelease�Mfixed�Madded�Lv0.3.62�Lrelease�Lfixed�Kv0.3.61�Krelease�Kadded�Jv0.3.60�Jresults�Jrelease�Jadded�Iv0.3.59�Iresults�Irelease�Iadded�Hv0.3.58�Hresults�Hrelease�Hadded�Gv0.3.57�Grelease�Gfixed�Fv0.3.56�"Frelease�Fadded�Ev0.3.52�Eresults�Erelease�Echanged�Dv0.3.51�Drelease�Dadded�Cv0.3.50�Crelease�Cchanged�Bv0.3.49�Brelease�Bchanged�Av0.3.48�Arelease�Afixed�Achanged�Aadded�@v0.3.47�@results�@release�@changed�?v0.3.46�?results�?release�?changed�>v0.3.44�>results�>release�>changed�=v0.3.43�=release�=added�<v0.3.42�<release��fio30cv%�fp-reductionu
�papert#�concurrencys%�fp-reductionr�vraq�int30cp�int31co�int32cn%�fp-reductionm�str31cl%�fp-reductionk�vraj�arr30ci%�fp-reductionh�testingg
�buildf
�rulese
�rulesd
�uxc�testingb#�reliabilitya

&��������zjZJ:*
��������zj]PE8- 
�
�
�
�
�
�
�
�
�
�
�
v
i
^
S
F
9
.
!

	�����������xmbUH=0#�����������wj]RE8- 
�
�
�
�
�
�
�
�
�
�

t
g
Z
O
B
7
*


	�	�	�	�	�	�	�	�	�	�	z	l	^	P	B	6	(			���������zn`RF8*���������xj\N@2$
����������tfXJ<."����������rfXJ<0"����������vh\N@4&
����������tfVH:,��������~n`RD4&�
Zchanged
�	Zbenchmark�Zv0.3.82�Zrelease�Ychanged
�Ybenchmark�Yv0.3.81�Yrelease�Xchanged
�Xbenchmark�Xv0.3.80�Xrelease�~Wchanged
�}Wbenchmark�|Wv0.3.79�{Wrelease�zVchanged
�yVbenchmark�xVv0.3.78�wVrelease�vUchanged
�uUbenchmark�tUv0.3.77�sUrelease�rTchanged
�qTbenchmark�pTv0.3.76�oTrelease	�nSadded�mSv0.3.75�lSrelease�kRresults	�jRfixed	�iRadded�hRv0.3.74�gRrelease�fQresults	�eQfixed�dQv0.3.67�cQrelease	�bPadded�aPv0.3.66�`Prelease	�_Ofixed�^Ov0.3.65�]Orelease	�\Nadded�[Nv0.3.64�ZNrelease	�YMfixed	�XMadded�WMv0.3.63�VMrelease	�ULfixed�TLv0.3.62�SLrelease	�RKadded�QKv0.3.61�PKrelease�OJresults	�NJadded�MJv0.3.60�LJrelease�KIresults	�JIadded�IIv0.3.59�HIrelease�GHresults	�FHadded�EHv0.3.58�DHrelease	�CGfixed�BGv0.3.57�AGrelease	�@Fadded�?Fv0.3.56�>Frelease�=Eresults�<Echanged�;Ev0.3.52�:Erelease	�9Dadded�8Dv0.3.51�7Drelease�6Cchanged�5Cv0.3.50�4Crelease�3Bchanged�2Bv0.3.49�1Brelease	�0Afixed�/Achanged	�.Aadded�-Av0.3.48�,Arelease�+@results�*@changed�)@v0.3.47�(@release�'?results�&?changed�%?v0.3.46�$?release�#>results�">changed�!>v0.3.44� >release	�=added�=v0.3.43�=release	�<fixed�<changed�<v0.3.42�<release	�;fixed�;v0.3.39�;release	�:fixed�:changed�:v0.3.38�:release	�9fixed�9v0.3.37�9release	�8added�
8v0.3.36�8release	�7fixed�
7changed	�	7added�7v0.3.35�7release	�6fixed�6v0.3.34�6release�5removed�5changed�5v0.3.33�5release	4fixed~4v0.3.32}4release	|3fixed{3v0.3.31z3release	y2fixedx2v0.3.30w2releasev1changed	u1addedt1v0.3.28s1release	r0fixedq0changed	p0addedo0v0.3.27n0release	m/fixedl/v0.3.26k/release	j.fixed	i.addedh.v0.3.25g.releasef-changed	e-addedd-v0.3.24c-releaseb,changed	a,added`,v0.3.23_,release	^+fixed]+v0.3.22\+release	[*addedZ*v0.3.21Y*releaseX)changedW)v0.3.20V)release	U(fixedT(v0.3.19S(release	R'fixed	Q'addedP'v0.3.18O'release	N&addedM&v0.3.17L&release	K%addedJ%v0.3.15I%release	H$fixedG$v0.3.14F$release	E#fixed	D#addedC#v0.3.13B#release	A"fixed	@"added
?"v0.3.8>"release	=!added
<!v0.3.5;!release	: fixed
9 v0.3.38 release	7fixed6v0.2.255release	4fixed3v0.2.222release	1fixed	0added/v0.2.21.release	-fixed	,added+v0.2.20*release	)fixed(v0.2.17'release	&added%v0.2.16$release	#fixed	"added!v0.2.15 release	fixedchanged	addedv0.2.13release!plan-id:71!plan-id:70!plan-id:69!plan-id:68!plan-id:67!plan-id:66!plan-id:65!plan-id:64!plan-id:63!plan-id:62!
plan-id:61!plan-id:60!plan-id:59
!
plan-id:53!	plan-id:51!plan-id:49
!plan-id:47	!plan-id:37!plan-id:27!plan-id:20deferred!plan-id:10deferred
plan-id:9	deferred	plan-id:8
l����������tfVH:, ���������wi[M=/!
�
�
�
�
�
�
�
�
�
s
d
V
H
9
)


���������xjYH7'���zR1
�
�
�
�
k
J
>
+

	�	�	�	�	�	�	�	�	�	|	h	Z	F	8	*		������v�fio30c�u%�fp-reduction
�t�paper�s#�concurrency�r%�fp-reduction�q�vra�p�int30c�o�int31c�n�int32c�m%�fp-reduction�l�str31c�k%�fp-reduction�j�vra�i�arr30c�h%�fp-reduction�g�testing
�f�build
�e�rules
�d�rules�c�ux�b�testing�a#�reliability
�`�build�_#�diagnostics�^#�performance	�]build�\A~fp-reduction,cert-c,exp15c�[A}fp-reduction,cert-c,pre07c�ZA|fp-reduction,cert-c,exp02c�YA{fp-reduction,cert-c,arr39c�XAzfp-reduction,cert-c,pre10c�WAyfp-reduction,cert-c,flp00c�VAxfp-reduction,cert-c,msc37c�UAwfp-reduction,cert-c,mem05c%�TOvfp-reduction,cert-c,exp33c,arr00c�SAufp-reduction,cert-c,mem30c%�ROtfp-reduction,cert-c,dcl07c,dcl31c%�QOsfp-reduction,cert-c,int32c,int10c(�PUrint31c,fp-reduction,cert-c,benchmark�O!pplan-id:49
�Nobenchmark�M!nplan-id:49�L!mplan-id:49�K!lplan-id:49�Jkchanged
�Ikbenchmark�Hkv0.3.104�Gkrelease�Fjchanged
�Ejbenchmark�Djv0.3.103�Cjrelease�Bichanged
�Aibenchmark�@iv0.3.102�?irelease�>hchanged
�=hbenchmark�<hv0.3.101�;hrelease�:gchanged�9gv0.3.100�8grelease�7fchanged
�6fbenchmark�5fv0.3.99�4frelease�3echanged
�2ebenchmark�1ev0.3.98�0erelease�/dchanged
�.dbenchmark�-dv0.3.97�,drelease�+cchanged
�*cbenchmark�)cv0.3.93�(crelease�'bchanged
�&bbenchmark�%bv0.3.92�$brelease�#achanged
�"abenchmark�!av0.3.91� arelease�`task�`changed�`v0.3.90�`release�_changed	�_added�_v0.3.87�_release�^changed
�^benchmark�^v0.3.86�^release�]changed�]v0.3.85�]release�\changed�\v0.3.84�\release�
[changed�[v0.3.83�[release
|�h]
+�)555Release v0.3.85### Changed

- MEM01-C: CFG-based forward reachability replaces naive "next statement is
  NULL?" check. For each free(ptr), BFS through CFG successor blocks — only
  flags when ptr is actually used or freed again on a reachable path. Suppresses
  when ptr goes out of scope or is reassigned. Declaration-as-reassignment
  handling for loop-scoped variables. Inline CFG building fallback for tests.
- CWE-415: 43.4% → 58.2% (+14.8pp). CWE-416: 43.9% → 92.9% (+49.0pp).
- MEM01-C: -654 FP, -204 TP (3.2:1 ratio). Rule TP rate 41.7% → 71.8%.
- Overall: 25,481 TP / 16,311 FP. TP rate 60.2% → 61.0% (+0.8pp).
  Zero regressions across all 74 CWEs.done2026-04-20T16:58:09Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�q\
+�;555Release v0.3.84### Changed

- INT33-C: all-assignments-nonzero check for divisor variables. If ALL
  assignments to the divisor in the containing function are non-zero constants,
  the division is safe. Loop update detection (i--, i++) prevents false
  suppression of loop variables.
- INT33-C: fabs()/fabsf()/fabsl() magnitude guard recognition. Float
  divide-by-zero guards like `if(fabs(data) > 0.000001)` now suppress.
- FLP03-C: constant-aware divisor non-zero detection. Two-strategy approach:
  all-assignments-nonzero, and feasible-branch walk using file-scope constants
  to determine last reaching assignment.
- CFG builder: resolve static const int variables as constant conditions.
  Enables dead-branch pruning for `if(STATIC_CONST_TRUE)` patterns.
- const_eval: collect file-scope `static const int` declarations as constants.
- const_eval: float literal to i64 fallback (e.g., 2.0F → 2) for VRA tracking.
- CWE-369 TP rate 37.9% → 53.9% (+16.0pp). -882 FP, -8 TP overall.
  Bonus: INT31-C -144 FP, EXP34-C -24 FP from CFG constant resolution.done2026-04-20T16:58:09Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z��`^
+�555Release v0.3.86### Changed

- MEM31-C: prescan-based callee-frees-param detection. When a callee function
  is known (via FunctionSummary.frees_params) to free a parameter, mark the
  allocation as freed at the call site instead of flagging a leak.
- FunctionSummary: param pass-through tracking. Detects when function params
  are forwarded directly to callees (AST-based). Used for transitive free
  propagation across relay function chains (A→B→C→free).
- prescan: propagate_transitive_frees() fixpoint. After all summaries are
  merged, propagates frees through pass-through chains up to 10 levels deep.
- MEM31-C: if/else branch merge fix. Use UNION of freed memory from both
  branches instead of only true branch state. Prevents FPs where free() is
  in the else clause of constant-condition if/else blocks.
- MEM31-C converted from unit struct to stateful struct with
  set_project_context() for prescan integration.

### Benchmark

- CWE-401: 50.7% → 77.6% (+26.9pp). MEM31-C: -543 FP, -25 TP (21.7:1 ratio).
- MEM31-C rule FP rate: 49.3% → 22.4%.
- Overall: 25,456 TP / 15,768 FP. TP rate 61.0% → 61.8% (+0.8pp).
  Zero regressions across all 74 CWEs.done2026-04-20T16:58:09Z2026-04-06T00:00:00Z2026-04-06T00:00:00Z

����a
+�555Release v0.3.91### Changed

- FunctionSummary: recognize alias null-checks as param null-checks.
  Pattern: `TYPE *alias = param;` followed by a null check on `alias`.
  Common in libcurl/sqlite wrappers that cast-copy the pointer param first
  (e.g. `struct Curl_easy *data = d; if(!data) ...`). Without this,
  `d` was not detected as null-checked, causing caller-side EXP34-C FPs
  on curl wrappers.

### Benchmark

- Addresses v0.3.90 curl EXP34-C regression (+45 FPs from unmasked short
  param-name substring matches revealing previously-hidden violations on
  curl wrapper patterns).done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z�`
+�c555Release v0.3.90### Changed

- FunctionSummary.checks_null_params: recognize `PARAM == 0` / `PARAM != 0`
  and reversed-operand variants as null checks. Previously only the `== NULL`
  / `!= NULL` spellings matched, so idioms like `if(pStmt==0)` (common in
  sqlite, libcurl) did not register the param as null-checked. The new
  `body_matches_null_check()` helper also handles arbitrary whitespace
  between tokens and uses word-boundary checks to avoid matching substrings.
- EXP34-C: skip deref-function arg check when callee is in the null-safe
  list (free, realloc). `free(NULL)` is defined as no-op per C11 7.22.3.3
  and `realloc(NULL, n)` per C11 7.22.3.5; flagging them as null-deref sites
  is incorrect.
- EXP34-C null-safe function list: added `realloc`.

### Task

- Task 61 (partial): EXP34-C FP reduction for null-safe wrappers and the
  `== 0` null-check idiom. The originally-listed 16 FPs in d_lib_common
  (Patterns 9 + 18) were already addressed by earlier EXP34-C work
  (v0.3.82 AST-level null guard + v0.2.20 &stack_var propagation). This
  changeset targets the remaining `Memory_Free(NULL)` wrapper FP and the
  sqlite-style `== 0` null-check idiom surfaced by the realworld benchmark.done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z�^_
+�555Release v0.3.87### Added

- 13 multi-file CLI integration tests for cross-file prescan capabilities:
  callsite null propagation (EXP34-C), can_return_null (EXP34-C),
  frees_params (MEM31-C), header_declared_functions (DCL15-C).
  Each scenario tests with-d, without-d, and safe variants.
  (Task 20)
- Test fixtures: crossfile_callsite_null/, crossfile_frees/, crossfile_header/
  with manifests for MEM31-C and DCL15-C.

### Changed

- docs/architecture.rst: comprehensive rewrite. Inventory of all 10 analysis
  modules, capabilities table expanded from 10 to 17 entries, limitations
  table updated (8 entries with impact), per-CWE ceiling analysis, updated
  competitor landscape from 5-tool benchmark. Removed outdated claims
  ("No VRA", "No whole-program analysis", 48% TP rate). (Task 37)
- README.md: benchmark table updated (48.4% → 61.8% TP rate, 16 → 32
  perfect CWEs, added per-file detection rate 42.6%).
- docs/sqc.1: man page version 0.3.61 → 0.3.87.
- docs/cli-usage.rst: prescan collection list expanded from 4 to 9 items
  (added header prototypes, call graph, call-site arg states, struct field
  types, global constants, global null states).done2026-04-20T16:58:09Z2026-04-07T00:00:00Z2026-04-07T00:00:00Zw
���a)
�
�
����b@�h:
�
�	�	Y��:��e3��=��_#�J��r<��� V��d������U�\.
�
z	�	�	
�_+���_s=��e/���Rwj����0#��0�����lK
�
�
�
a
?
�����
�
�
X
6
	�	~	4	������b�(Mt��>���?�w�	�z�(�K�����sdRw��UF7(
�����������w?
�
�
�
w
U
3
���xV4	�R��Afp-reduction,cert-c,exp15c\Afp-reduction,cert-c,pre07c[Afp-reduction,cert-c,exp02cZAfp-reduction,cert-c,arr39cY)Uint31c,fp-reduction,cert-c,benchmarkPchanged
addedchanged#changedchangedbenchmark
build]benchmark"changed
build`benchmark&changedchanged+changed'changed
buildfbenchmark*changed
benchmark	
papertbenchmark.changedbenchmarkchanged3changed/changedbenchmark�v0.3.80benchmark2changed�benchmark�Yv0.3.79benchmark6changed�benchmark�changed:changed7changed�benchmark��v0.3.77benchmark=changed�benchmark�changedBchanged>
added��	v0.3.benchmarkEbenchmarkA
fixed�
added�Hv0.3.74benchmarkIchangedF
fixed�arr30ci�changedJ
added�m
v0.3.6!plan-id:49K
fixed��
v0.3.6!plan-id:49L
added��
v0.3.6!plan-id:49M
fixed�
added��v0.3.63benchmarkN
fixed�p
v0.3.6!plan-id:49O
added�&Ofp-reduction,cert-c,int32c,int10cQ
added�&Ofp-reduction,cert-c,dcl07c,dcl31cR
added��v0.Afp-reduction,cert-c,mem30cS
added��	v0.3.#performance^
fixed� 	v0.3.#diagnostics_
added�&Ofp-reduction,cert-c,exp33c,arr00cTchanged�Ev0.3%fp-reductionh
added�lv0.3%fp-reductionkchanged��v0.3%fp-reductionmchanged�int31co�int32cn
fixed�changed�
added�v0.Afp-reduction,cert-c,mem05cUchanged�8v0.Afp-reduction,cert-c,msc37cVchanged��v0.Afp-reduction,cert-c,flp00cWchanged�fio30cv�int30cp
added��v0.3%fp-reductionr
fixed�changed��	v0.3.#concurrencys
fixed�	v0.3%fp-reductionu
fixed�changed�	?v0.3.38�	?
release�
fixed�	dv0.3.37�	d
release�
added�	�v0.3.36�	�
release�
fixed�changed�
added�	�v0.3.35�	�
release�
fixed�	�v0.Afp-reduction,cert-c,pre10cXchanged�
v0.3.33�

release�	fixed
@v0.3.32~
@release}	fixed|
bv0.3.31{
breleasez	fixedy
�v0.3.30x
�releasewchangedv	addedu
�v0.3.28t
�releases	fixedrchangedq	addedp
�v0.3.27o
�releasen	fixedmv0.3.26lreleasek	fixedj	addediDv0.3.25hDreleasegchangedf	addederv0.3.24drreleasecchangedb	addeda�v0.3.23`�release_	fixed^�v0.3.22]�release\	added[�v0.3.21Z�releaseYchangedX�v0.3.20W�releaseV	fixedU(v0.3.19T(releaseS	fixedR	addedQJv0.3.18PreleaseO	addedNlv0.3.17MreleaseL	addedK�v0.3.15JreleaseI	fixedH�v0.3.14GreleaseF	fixedE	addedD�v0.3.13CreleaseB	fixedA	added@
v0.3.8?release>	added=
(v0.3.5<release;	fixed:
Iv0.3.39release8	fixed7
kv0.2.256release5	fixed4
�v0.2.223release2	fixed1	added0
�v0.2.21/release.	fixed-	added,
�v0.2.20+release*	fixed)v0.2.17(release'	added&3v0.2.16%release$	fixed#	added"kv0.2.15!release 	fixedchanged	addedv0.2.13release!plan-id:71!plan-id:70!plan-id:69!plan-id:68!plan-id:67!plan-id:66!plan-id:65!plan-id:64!plan-id:63!plan-id:62!plan-id:61!plan-id:60!plan-id:59!plan-id:53
!plan-id:51!plan-id:49!plan-id:47
!plan-id:37	!plan-id:27!plan-id:20deferred!plan-id:10deferred
plan-id:9deferred	plan-id:8
������������|pcVI</"����������yl_RE8+
�
�
�
�
�
�
�
�
�
�
u
h
[
N
A
4	�����jO4��
'



���������	�������vj^R\A&�F:."
�����������{obUH;.!
�
�
�
�
�
�
�
�
�
�
z
m
`
S
F
9
,


	�	�	�	�	�	�	�	�	�	�	x	k	^	Q	D	7	*	�����w��vraqstr31clvrajtestingg
rulese
rulesduxctestingb#reliabilitya
v0.3.104HreleaseG
v0.3.103DreleaseC
v0.3.102@release?
v0.3.101<release;
v0.3.1009release8v0.3.995release4v0.3.981release0v0.3.97-release,v0.3.93)release(v0.3.92%release$v0.3.91!release 	taskv0.3.90v0.3.87v0.3.86v0.3.85v0.3.84v0.3.83v0.3.82v0.3.81v0.3.80
v0.3.8?v0.3.79�v0.3.78�v0.3.77�v0.3.76�v0.3.75�v0.3.74�v0.3.67�v0.3.66�v0.3.65�v0.3.64�v0.3.63�v0.3.62�v0.3.61�v0.3.60�v0.3.59�v0.3.58�v0.3.57�v0.3.56�v0.3.52�v0.3.51�v0.3.50�
v0.3.5<v0.3.49�v0.3.48�v0.3.47�v0.3.46�v0.3.44�v0.3.43�v0.3.42�v0.3.39�v0.3.38�v0.3.37�v0.3.36�v0.3.35�v0.3.34�v0.3.33�v0.3.32~v0.3.31{v0.3.30x
v0.3.39v0.3.28tv0.3.27ov0.3.26lv0.3.25hv0.3.24dv0.3.23`v0.3.22]v0.3.21Zv0.3.20Wv0.3.19Tv0.3.18Pv0.3.17Mv0.3.15Jv0.3.14Gv0.3.13Cv0.2.256v0.2.223v0.2.21/v0.2.20+v0.2.17(v0.2.16%v0.2.15!v0.2.13results�results�results�results�results�results�results�results�results�removed�releasereleasereleasereleasereleasereleasereleasereleaserelease�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release�release}releasezreleasewreleasesreleasenreleasekreleasegreleasecrelease_release\releaseYreleaseV
����#c
+�555Release v0.3.93### Changed

- INT30-C: drop the dedicated `malloc()` / `realloc()` multiplication
  overflow check. The inner `*` expression is already covered by the
  generic `check_multiplication` walker (which correctly skips under
  VRA / constant-folding / SIZE_MAX-guard conditions), so the
  allocation-level check only produced duplicate diagnostics on every
  hit and occasional false positives on good-path cases where the
  inner check had proved the multiplication safe (e.g. Juliet
  `malloc(data * sizeof(int))` with `data = 20`). Calloc's dedicated
  check remains — its multiplication is implicit and not visible to
  the binary-expression walk.
- INT30-C: removed now-dead `flag_allocation_overflow` and
  `contains_multiplication` helpers.

### Benchmark

- Follow-up to v0.3.92: the v0.3.92 get_function_arguments fix
  restored the previously-broken malloc/realloc check, adding 525
  duplicate diagnostics on CWE-680 (TP +207, FP +318, TP rate
  −4.7pp). Deduplicating the check brings CWE-680 back to baseline
  while preserving the v0.3.92 embedded FP reductions and the
  calloc-wrapper / message-cleanup improvements.
- Juliet v0.3.93 vs v0.3.91 (baseline): zero delta across all 74
  CWEs — TP 25354, FP 15768, TP rate 61.7%, unchanged. The v0.3.92
  CWE-680 regression is fully reversed.
- Real-world v0.3.93 vs v0.3.91: **−187 INT30-C violations** across
  four codebases (hostap's pre-existing stack overflow unrelated).
    curl:      -106 INT30-C
    mosquitto:  -44 INT30-C
    sqlite:     -37 INT30-C, -1 FIO05-C
    libcrc:       0
  Total: -188 violations overall. Closes task 60.done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z�cb
+�555Release v0.3.92### Changed

- INT30-C: three targeted FP reductions on embedded codebases:
  1. Skip plain `++`/`--` of a wide-unsigned struct/union field
     (`ctx->tick++`, `obj.seq--`). Monotonic counter fields wrap at 2^32
     or 2^64 — practically never in real systems. Juliet CWE-190/191
     only exercises local-variable increments, so TP detection is
     preserved.
  2. Skip the calloc overflow warning when both `calloc` arguments are
     function parameters of the enclosing function (thin-wrapper
     pattern). Overflow detection is delegated to C11 calloc itself
     (§7.22.3.2).
  3. Extend subtraction guard detection to preceding
     early-exit `if` siblings. `if (a < b) return; /* ... a - b */`
     places the subtraction on an implicit else-path where `a >= b`.
- INT30-C: `get_function_arguments` now iterates named children of the
  argument list instead of all children. Previously it returned
  punctuation tokens (`(`) as the first "argument", which silently
  suppressed `malloc`/`realloc` multiplication overflow detection and
  produced malformed `calloc((, nmemb)` messages. Added missing
  `SIZE_MAX / size` guard recognition for `malloc` and `realloc`
  (calloc already had it) so the fix does not regress pass tests.
- INT30-C: `has_function_context_check` falls back to the translation
  unit when the call has no containing function, so top-level wiki-
  snippet tests continue to recognize overflow guards.

### Benchmark

- Targets task 60 follow-up: embedded FPs identified after v0.3.88
  library benchmark. On the 4 target embedded codebases (suppressions
  stripped for measurement):
    d_lib_common:          1 → 0 INT30-C FPs
    d_lib_serial_leds:    12 → 8 INT30-C FPs (−3 tick increments,
                                             −1 implicit-else guard)
    d_lib_airpath:         2 → 2 (unchanged — bounded-shift compound
                                 addition, out of scope)
  All 3319 existing tests still pass; new
  `testcases_embedded_patterns.c` pass test covers the three new
  patterns.done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z
�XX	t�0d
+�9555Release v0.3.97### Changed

- API00-C: suppress `void *` / `const void *` parameters that are never
  dereferenced locally and only pass through to null-accepting stdlib
  sinks (free/realloc/cfree/Memory_Free/Memory_Realloc) or callees
  whose summary validates the argument. NULL is a valid value for
  generic-container slot parameters (e.g., `ArrayList_Append(self,
  void *item)`).

### Benchmark

- Juliet v0.3.96 → v0.3.97: TP 24,628→24,622 (-6), FP 14,238→14,226
  (-12). API00-C was the only affected rule (2.0:1 FP:TP ratio).
  CWE-476 (null deref) TP rate 58.9% → 59.6% (+0.7pp). Overall TP
  rate unchanged at 63.4%. Zero other-rule regressions.
- Real-world d_lib_common: API00-C 1 → 0 FP with
  suppressions stripped.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z��	e
+�k555Release v0.3.98### Changed

- EXP02-C: extend guard-pattern recognition beyond null-checks. Any
  comparison (`==`, `!=`, `<`, `>`, `<=`, `>=`) on the LHS of `&&` or
  `||`, or a compound `&&`/`||` chain whose leaves are comparisons,
  is now treated as a short-circuit guard. The RHS is still required
  to be mutation-free (no `=`, `+=`, `++`, `--`) so patterns like
  `file_size > 0 && buflen >= file_size && fseek(...)` and
  `arr->len == arr->cap && !growCapacity(arr)` are no longer flagged,
  while `p || (p = malloc(...))` and `a > 0 && ++count > 10` still
  trigger. Closes task 64.
- INT32-C: skip `sizeof(...)` arguments to `memcpy` / `memmove` /
  `memset` size positions. `sizeof(*ctx)` always yields `size_t` and
  has no signed overflow risk, but the text-based `contains_arithmetic`
  helper false-matched the `*` inside the sizeof. Closes task 66 item 1.

### Benchmark

- Juliet v0.3.97 → v0.3.98: **zero delta** across all 74 CWEs —
  TP 24,622, FP 14,226, TP rate 63.4% (unchanged). The EXP02-C guard
  extension and INT32-C sizeof skip target real-world idioms (sizeof
  in memset, compound comparison chains, equality-plus-call patterns)
  that Juliet does not exercise.
- Real-world v0.3.93 → v0.3.98: **−343 violations** (spans v0.3.94-
  0.3.98 work combined). INT32-C −239 is almost entirely v0.3.98's
  sizeof fix (v0.3.94-0.3.97 did not touch INT32-C); API00-C −111
  and INT31-C −2 come from tasks 68/69/62C. Per-project INT32-C
  deltas: sqlite −169, curl −67, mosquitto −3. MSC04-C +8 minor
  regression carried over from the v0.3.94-0.3.97 range.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z
	������g
-�555Release v0.3.100### Changed

- ENV33-C: replace blanket "pointer parameter → flag" suppression
  with caller-aware lookup. When the containing function has
  pointer/string parameters and no direct taint-source call in its
  body, defer to the reverse call graph: suppress only when every
  caller's prescan summary shows both `has_env03_taint_source` and
  `returns_tainted` are false. Unknown callers stay flagging.
  Mirrors the ENV03-C task 68 pattern.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z�f
+�555Release v0.3.99### Changed

- FunctionSummary: new `returns_tainted` bit and
  `returns_from_callees` set. Seeded in prescan from
  `has_env03_taint_source` on non-void returns, then propagated to
  fixpoint via a new `propagate_return_taint` pass so wrapper chains
  (`char *wrap() { return readIt(); }`) inherit a callee's taint bit.
  Same-named static merging ORs the new bits (mirrors the existing
  `has_env03_taint_source` merge).
- ENV03-C: extend `rhs_is_safe` with a `call_expression` arm. A
  `data = helper(...)` assignment is now treated as safe when
  `helper`'s summary is known and has neither
  `has_env03_taint_source` nor `returns_tainted`. Unknown callees stay
  conservative. Suppresses Juliet CWE-78 v42-style goodG2B(Source)
  patterns while still flagging the corresponding `data =
  badSource(...)` bad paths (badSource contains `recv`).
- INT31-C: `call_rhs_has_taint_source` now recognises callees whose
  summary has `returns_tainted` set. Catches transitive wrappers
  without requiring a direct taint-source call in the immediate
  callee's body.

### Benchmark

- Juliet v0.3.98 → v0.3.99: TP 24,622→24,590 (−32), FP 14,226→14,082
  (**−144**), TP rate 63.4% → **63.6%** (+0.2pp). ENV03-C is the only
  affected rule: TP 652→620, FP 468→**324** — a **4.5:1 FP:TP
  ratio**, the cleanest ratio for ENV03-C since task 67 (v0.3.94's
  4.1:1). CWE-78 TP rate 74.1% → **76.6%** (+2.5pp). CWE-426 side
  benefit: FP 188→164 (−24, 1:1 with TP drop). Zero other-rule
  regressions. INT31-C was neutral on Juliet — the transitive-wrapper
  pattern exists in real-world code but not in the Juliet v42 CWE-194/
  195 templates, which use direct taint-source calls inside their
  `badSource` helpers.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z��3h
-�=555Release v0.3.101### Changed

- ENV33-C: walk the reverse call graph transitively in
  `callers_are_all_clean`. v0.3.100 only checked direct callers, which
  lost TPs on Juliet CWE-78 variants 52c/53d/54e where intermediate
  forwarding sinks are clean pass-throughs but a grand-caller holds the
  recv/fgets. BFS-style walk with a visited set guards against cycles.

### Benchmark

- Juliet v0.3.99 → v0.3.101: TP 24,590 → 24,478 (−112), FP 14,082 →
  13,632 (**−450**), TP rate 63.6% → **64.2%** (+0.6pp). ENV33-C is
  the only affected rule: TP 1550 → 1438, FP 500 → **50** — a
  **4.02:1 FP:TP ratio**, matching the PLAN.md task 49 projection for
  CWE-78 helper-sink suppression. CWE-78 TP rate 76.6% → **87.7%**
  (+11.1pp). Zero other-CWE regressions. The remaining 50 ENV33-C FPs
  are all v65b function-pointer variants where the call graph has no
  edge for `funcPtr(data)` — future work requires function-pointer
  call-graph edges (same limitation noted in task 49A).done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z
RkR�j
-�555Release v0.3.103### Changed

- STR02-C: port the ENV03-C / ENV33-C caller-aware suppression template.
  When `system()` / `popen()` is called with a function parameter that's
  only tainted by the default "params are untrusted" rule — i.e. the
  enclosing body contains no direct taint-source call — walk the reverse
  call graph and suppress iff every transitive caller's summary shows
  `has_env03_taint_source` and `returns_tainted` both false. BFS with a
  visited set, matching the ENV33-C pattern that handles Juliet's
  variant 52c/53d/54e multi-level forwarding chains. New fields
  `function_summaries` + `callers` on `Str02C` populated from
  `ProjectContext.call_graph` in `set_project_context`.

### Benchmark

- Juliet v0.3.102 → v0.3.103: TP 24,542 → 24,518 (−24), FP 13,498 →
  **13,358** (−140), TP rate 64.5% → **64.7%** (+0.2pp). Zero
  other-CWE regressions; every non-CWE-78 cell in the delta report is
  exactly zero.
  - CWE-78 TP rate 90.3% → **94.8%** (+4.5pp). STR02-C FP 140 → **0**,
    TP 560 → 536 (−24). **5.83:1 FP:TP ratio** — best ratio so far in
    the CWE-78 taint-aware series (prior bests: 4.5:1 at task 49A, 4.1:1
    at task 67). STR02-C now contributes zero FPs to CWE-78; all 140
    remaining CWE-78 FPs are on ENV03-C (v42-style return-tainted
    helpers and v45 global-static pointer reads).
  - CWE-78 TP rate (94.8%) now exceeds clang-tidy's 91.6% shared-CWE
    average — CWE-78 is no longer a competitor-parity gap.
- Real-world (curl / sqlite / mosquitto / libcrc / hostap): not rerun.
  The change reuses existing `FunctionSummary` fields (no new summary
  bits, no schema change), so real-world behaviour matches v0.3.102
  which had zero delta from v0.3.98.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z�i
-�{555Release v0.3.102### Changed

- prescan (`collect_callees`): resolve function-pointer aliases when
  building the call graph. The function body is now walked twice — the
  first pass captures `void (*fp)(char *) = target;` init declarators
  and `fp = target;` rebinds into a local alias map, the second pass
  emits callees with aliased identifiers rewritten to the target
  function. Juliet v65a/b sinks now surface a real caller edge instead
  of a dangling `funcPtr` entry.
- prescan (`has_env03_taint_source`): also match per-file macro aliases
  whose target is in `ENV03_TAINT_SOURCE_FUNCTIONS`. Juliet's
  `#define GETENV getenv` wrappers now correctly poison the caller's
  summary, so ENV03-C / ENV33-C / INT31-C caller-aware suppression
  treats `GETENV(ENV_VARIABLE)` as a real taint source.
- `function_summary::compute_summaries` gains a `taint_source_aliases`
  parameter plumbed through `analyze_function` and
  `collect_function_summaries`. Per-file alias collection in prescan
  (and header resolution) pre-filters aliases to those resolving to a
  taint source before calling summarize.

### Benchmark

- Juliet v0.3.101 → v0.3.102: TP 24,478 → **24,542** (+64), FP 13,632
  → **13,498** (−134), TP rate 64.2% → **64.5%** (+0.3pp). Zero
  other-CWE regressions.
  - CWE-78 TP rate 87.7% → **90.3%** (+2.6pp). ENV33-C FP 50 → **0**,
    TP 1438 → 1514 (+76). ENV03-C FP 324 → 300 (−24), TP 620 → 628
    (+8). 50 FP → 0 for variant 65b, plus +76 TPs recovered in other
    helper-sink variants where the bad caller used a macro-wrapped
    taint source (GETENV, FGETS, etc.) previously missed by the text
    scan.
  - CWE-194 TP rate 67.9% → **69.4%** (+1.5pp), FP −30, TP −10.
  - CWE-195 TP rate 51.9% → **52.5%** (+0.6pp), FP −30, TP −10.
  - INT31-C: FP 1452 → 1392 (−60), TP 2142 → 2122 (−20). 3:1 ratio.
- Real-world v0.3.98 → v0.3.102 (curl, sqlite, mosquitto, libcrc,
  hostap): zero delta. Change is Juliet-specific — these codebases
  don't use Juliet's function-pointer-across-files pattern or macro
  aliases that resolve to taint sources.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z
[�[��Rm
o�955549G: ENV03-C v34 union-field-alias FP suppressionEliminated ~20 ENV03-C v34 FPs (OMITGOOD union-alias pattern). walk_for_taint case-insensitive for UPPERCASE macro aliases (GETENV->getenv). rhs_is_safe + walk_pointer_aliases handle dot field_expression. v0.3.107.done2026-04-22T19:22:38Z2026-04-23T15:04:45Z2026-04-23T15:04:45Z�Rn
o�955549G: ENV03-C v34 union-field-alias FP suppressionEliminated ~20 ENV03-C v34 FPs (OMITGOOD union-alias pattern). walk_for_taint case-insensitive for UPPERCASE macro aliases (GETENV->getenv). rhs_is_safe + walk_pointer_aliases handle dot field_expression. v0.3.107.done2026-04-22T19:22:42Z2026-04-22T19:22:51Z2026-04-22T19:22:51Z�-l
w�g55549E: ENV03-C v45 global-static pointer write trackingLast remaining major CWE-78 FP contributor (~140 FPs). Juliet v45 pattern: static global pointer is written in function A (good path: clean data) and read in function B (goodG2BSink pattern) before SYSTEM(data). Currently FPs because char *data = g_static is seen as untrusted identifier init. Fix: prescan collects writers of file-scope static variables, ENV03-C seeds clean globals (all writers have has_env03_taint_source=false AND returns_tainted=false) into safe_sources. Symmetric to caller-aware taint check but inverted (writers instead of callers).done2026-04-20T17:24:37Z2026-04-20T17:25:17Z2026-04-20T18:17:29Z�Hk
-�g555Release v0.3.104### Changed

- ENV03-C: extend caller-aware suppression to local command variables
  derived from a function parameter. When the `system()` / `popen()`
  argument is a local like `char *data = *dataPtr` (variant 63),
  `char *data = dataArray[2]` (variant 66), `char *data =
  myStruct.structFirst` (variant 67), or a chain through a cast such as
  `char **dataPtr = (char **)dataVoidPtr; char *data = *dataPtr;`
  (variant 64), walk writes to the command var and — if every write is
  derived via deref / subscript / field / cast from a function
  parameter (possibly through other parameter-derived locals) —
  reuse `callers_are_all_clean`. Suppress iff every caller's summary
  has `has_env03_taint_source` false. New helper
  `is_command_var_parameter_derived` + write-collection fixpoint.
- `function_summary::ENV03_TAINT_SOURCE_FUNCTIONS` and the matching
  scope-local list in `env03_c` now cover wide-character and Windows
  input equivalents: `fgetws`, `getwchar`, `getwc`, `fgetwc`,
  `wscanf`/`fwscanf`/`swscanf`/`vwscanf`/`vfwscanf`, `_getws`,
  `_getws_s`, `_wgetenv`, `_wgetenv_s`. Juliet's
  `wchar_t_console_*` / `wchar_t_file_*` variants read via `fgetws`;
  with these absent, the bad-path caller's summary was (incorrectly)
  clean and the new parameter-derived fix was over-suppressing the
  wchar_t bad-sink TPs. Mirrors the narrow-char coverage.

### Benchmark

- Juliet CWE-78 (single-rule ENV03-C measurement, prescan enabled):
  - Pre-change: 660 violations (520 TP / 140 FP, 78.8% TP rate).
  - Post-change: 680 violations (620 TP / 60 FP, **91.2% TP rate**).
  - FP −80, TP +100 — **0.8:1 FP:TP ratio** (net gain of TPs
    exceeds FPs eliminated). Both axes move in the right direction
    because the wide-char taint expansion recovers bad-path TPs that
    were previously silently suppressed by the clean-caller check.
  - Variant-level: v63/v64/v66/v67 FPs go to 0 each (80 FPs cleared);
    wchar_t bad-sink TPs (variants v01-v18, v21-v68) recover 4 each
    across ~25 variants.
  - Remaining 60 ENV03-C CWE-78 FPs: v34 (union field access, 20),
    v45 (static global pointer read, 20), v68 (extern global pointer
    read cross-file, 20). These need type-aware field analysis or
    global-write tracking, out of scope here.
- Full Juliet + real-world rerun deferred (changes reuse existing
  `FunctionSummary` fields; wide-char taint additions affect ENV33-C /
  INT31-C / STR02-C identically to ENV03-C but those are all
  conservative additions — a missing source was letting taint through).done2026-04-20T16:58:09Z2026-04-20T00:00:00Z2026-04-20T00:00:00Z
A���
J.�#
+�555Release v0.2.25[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- STR04-C: binary buffer skip, only flag `unsigned char` arrays with string
  literal evidence.
- INT18-C: uint64_t recognition via `type_identifier` nodes.
- EXP05-C: AST-based const detection replacing text-based check.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z��#
+�555Release v0.3.13[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- EXP34-C multi-pass prescan propagation: `propagate_param_null_states()`
  resolves relay chains across function call hierarchies.

### Fixed

- EXP33-C for-loop init recognition: `has_preceding_assignment_in_block()` walks
  ancestor scopes. `for_init_assigns_var()` recognizes init clauses as
  dominating assignments. Handles `for (i = 0; ...)`, `for (int i = 0; ...)`,
  and comma expressions.
- INT30-C: `is_subtraction_guarded_by_comparison()` detects `if (a >= b) { a -
  b }` patterns. Supports `>=`, `>`, `<=`, `<` and compound `&&` conditions.
  Generalized `1U`/`1u` suffix handling.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�3"
)�A555Release v0.3.8[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- API00-C: 4 new validation patterns for parameter checking.

### Fixed

- STR31-C: gated string-literal suppression on `!is_function_parameter()` in
  `check_strcpy_safety` and `check_strcat_safety`. Fixed
  `check_sequential_strcat_overflow` to scan only current function's line range.
- EXP33-C: field/subscript write no longer treated as read (-576 FP, -299 TP).done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�!
)�555Release v0.3.5[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- Struct field type resolution: prescan collects struct definitions into
  `struct_field_types` in `ProjectContext`. `infer_type()` resolves
  `field_expression` types. Integrated with INT32-C and INT30-C.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�h 
)�+555Release v0.3.3[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- POS49-C: `is_local_variable()` skips stack-local struct member assignments.
- EXP12-C: `connect() != 0` in binary_expression not flagged.
- INT30-C: `is_literal_one()` strips unsigned/long suffixes.
  `is_preceded_by_increment()` checks for `var++`/`++var`/`var += 1` before
  subtraction.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z


�s4
+�?555Release v0.3.32### Fixed

- DCL07-C/DCL31-C FP reduction (-11,556 real-world violations, -7.1%). Three
  root causes addressed:
  1. Prescan deep recursion: `collect_function_names` now recurses into ALL
     child nodes (not just `preproc_*` blocks), finding functions inside ERROR
     nodes from tree-sitter misparses.
  2. Macro alias integration: DCL rules now check `macro_aliases` from prescan.
  3. External library whitelist: OpenSSL, Tcl/Tk, Apple CoreFoundation,
     mbedTLS, cJSON, zlib, GnuTLS, wolfSSL prefixes. `defined` operator
     skipped.
- DCL07-C: 10,617 -> 4,765 (-55.1%). DCL31-C: 10,543 -> 4,840 (-54.1%).
- Juliet: zero change (47.0% TP rate preserved).done2026-04-20T16:58:08Z2026-03-22T00:00:00Z2026-03-22T00:00:00Z
���rJ
+�=555Release v0.3.60### Added

- EXP39-C: CWE-188 struct memory layout assumption detection. Two new checks:
  (1) struct field pointer arithmetic — flags *(T*)(ptr + offset) where ptr was
  assigned from &struct.field, (2) union type punning — flags sub-field access
  into struct member of union after writing to a different scalar member.
  36 TP/0 FP (100%). All 36 Juliet files detected.
- FIO42-C: CWE-459 incomplete temp file cleanup. Detects mkstemp/mktemp/MKSTEMP
  /MKTEMP calls without corresponding unlink/remove/DeleteFile cleanup in the
  same function. 34 TP/0 FP (100%). 34/36 files (variant-12 mixed branches missed).
- POS55-C: new rule for CWE-666 socket operation ordering. State machine enforces
  bind() → listen() → accept() order. Flags accept before listen/bind, listen
  before bind. 162 TP/0 FP (100%). All 90 Juliet files detected.
- MEM03-C: CWE-226 sensitive data not cleared before release. Detects pointer/array
  variables with sensitive names (password, secret, credential, passphrase) not
  cleared with SecureZeroMemory/memset/explicit_bzero before function exit.
  68 TP/0 FP (100%). 68/72 files (variant-12 missed).
- MEM35-C: CWE-789 unbounded memory allocation from untrusted input.
  Intra-procedural taint analysis flags malloc/calloc/realloc in functions with
  taint sources (recv, fgets, fscanf, rand) and no upper-bound check (< constant).
  190 TP/0 FP (100%). Cross-function variants need inter-procedural taint.
- ERR07-C: CWE-114 untrusted library path / process control. Intra-procedural
  taint analysis flags LoadLibraryA/W/dlopen in functions with taint sources.
  126 TP/0 FP (100%). Cross-function variants need inter-procedural taint.

### Results

- Juliet v0.3.60: 24,408 TP / 21,117 FP — 53.6% TP rate (+0.7pp from v0.3.59).
  +730 TP, 0 FP. 31 CWEs at 100% precision (up from 25). Per-file rate 40.9%.
  Only 2 zero-detection CWEs remaining (CWE-259, CWE-328).
- Bonus: CWE-680 +80 TP/0 FP (MEM35-C taint caught integer-overflow-to-buffer-
  overflow), CWE-244 +34 TP/0 FP (MEM03-C sensitive data caught heap inspection).done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z
::�B�
Y�y5FIO30-C FP investigation and reductionFIO30-C has 696 FPs (36.7% rate, 1,200 TP). This is a format-string taint rule. No VRA. The Juliet benign variants use non-user-controlled format strings or use literal format strings. Need to investigate which Juliet CWE-134 variants are generating FPs. May be addressable through: literal format string detection, taint flow analysis, or const_eval for format string args.pending2026-05-17T15:29:05Z
	�	����555INT31-C taint-aware suppression for signed→size_t conversionsDescription:
Reuse ENV03-C's taint-source summary bit to suppress
 INT31-C FPs on Juliet CWE-194/195 helper-function variants.

Details:
DONE. INT31-C FP 2172→1452 (-720), TP 2608→2142 (-466). 1.54:1 FP:TP.

Approach: when the converted variable is inside an `if (var < LIT)`
upper-bound guard (positive literal), suppress iff:
  * the containing function's summary has no taint source, AND
  * no `var = fn(...)` assignment targets a tainted callee, AND
  * for parameters, every caller is taint-free too.

Local-variable case additionally requires evidence of at least one
call-return assignment from a clean callee — prevents over-suppression
of v45-style `int data = global_static;` reads where the global could
have been tainted elsewhere in the project.

Substring bug trap: `decl_text.contains(var_name)` matched `dataBuffer`
when looking for `data`. Fixed by walking the declarator tree to its
leaf identifier for an exact match.

Results: CWE-194 TP rate 58.4% → **67.9%** (+9.5pp). CWE-195 TP rate
48.7% → 51.9% (+3.2pp). Overall TP rate 62.7% → **63.4%** (+0.7pp).
Zero other-rule regressions.

Remaining INT31-C FPs are in v42-style `data = helper(data)` returning
tainted values, v45-style global pointers, and v65a/b function-pointer
cross-file patterns (no call-graph edge). Function-pointer and
return-value taint would be the next wins if pursued.

Original status line: done (v0.3.96)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z TP
rate 76.6% → **87.7%** (+11.1pp). Zero other-rule regressions.

Approach: mirror the ENV03-C task 68 / 49A pattern. Replace the
blanket "pointer parameter → flag" check with a caller-aware
transitive walk of the reverse call graph. Suppress iff every
reachable ancestor's summary has both `has_env03_taint_source` and
`returns_tainted` false. BFS with a visited set handles cycles and
multi-level forwarding chains (Juliet variants 52c/53d/54e have
intermediate clean pass-through sinks whose grand-caller holds the
recv/fgets).

Remaining gaps for CWE-78 (~50 ENV33-C FPs, plus ~324 ENV03-C FPs
and 140 STR02-C) and CWE-194/195 (~1224 INT31-C FPs):
  - Global/static pointer read tracking (v45-style `char *data =
    g_goodG2BData;` where `g_goodG2BData` was last written elsewhere)
  - Function-pointer cross-file calls (v65a/b, v67 variants — no
    call-graph edge for `funcPtr(data)`)
  - Extend the same clean-callee `rhs_is_safe` pattern to ENV33-C —
    same template as ENV03-C, likely similar 4:1 ratio (~500 FP
    candidates).
  - CWE-89 sinks: add SQL injection entry points (sqlite3_exec,
    mysql_query, PQexec) and the STR02-C or a new taint-sink rule.

Rule candidates that would benefit from the existing taint bits once
integrated: FIO30-C, STR02-C, FMT variants for format-string injection.

This task stays open as the coordinating umbrella; individual
rule-integration rounds are tracked as follow-ons to tasks 68/69/49A.


## Sub-task 113 — ENV03-C macro-value path check + CWE-426 caller-aware (DONE v0.3.113)

Replace ALL-CAPS heuristic in check_writes with macro-value absolute-path check
(is_safe_command_macro): GOOD_OS_COMMAND=/usr/bin/ls is safe, BAD_OS_COMMAND=ls is not,
and argument fragments like SAFE_CMD_ARGS=" -la" are also safe to strcat.
Add collect_string_literal_macros / is_safe_command_macro / is_relative_command_macro
to const_eval.rs; handles wide-string L"..." macros.
Add FunctionSummary.has_relative_command_write prescan bit: set when a function calls
strcpy/strcat with a macro expanding to a known relative-path command string.
callers_are_all_clean and call_is_clean now gate on both has_env03_taint_source AND
has_relative_command_write, blocking CWE-426 bad callers from passing the clean check.

Results: CWE-426 0 TP -> 132 TP / 0 FP; CWE-78 unchanged (2810 violations, 0 FPs).

Original status line: partial (v0.3.94-0.3.113 — tasks 67-69 + 49A/49B/49C/49D/113 delivered)

## Sub-task 115+116 — INT32-C/INT30-C goodG2B caller constant arg propagation (DONE v0.3.116)

Root cause: VRA initializes function parameters with full type range (e.g. [INT64_MIN, INT64_MAX])
even when ALL callers pass the same safe constant (e.g. data=2). So goodG2BSink(data=2) still
triggered data+1 may overflow because VRA could not prove the value was safe.

Fix (v0.3.115): Added callsite_param_const_int to FunctionSummary. prescan now walks each
function body to collect constant call-site arguments via collect_callsite_int_args_from_tree.
Two invalidation mechanisms: (1) pointer_expression &var in a call invalidates the variable
(fscanf pattern); (2) any non-literal assignment (data=LLONG_MAX, data=rand()) invalidates
the variable (v0.3.116 fix). aggregate_callsite_int_args stores param->const only when ALL
call sites agree. VRA then seeds [v,v] instead of full range. compute_vra_if_needed in
mod.rs runs this for same-file scans too.

v0.3.115 had TP -171 / FP -228 (+0.30pp) due to data=0LL followed by data=LLONG_MAX
leaving data=0 in map; v0.3.116 fixes by invalidating on any non-literal RHS assignment.

v0.3.116 CONFIRMED results (vs v0.3.114 baseline):
  Overall: TP +0 / FP -228 / TP rate +0.40pp — zero TP regression
  CWE-190 INT32-C: TP 1421->1421 (+0), FP 999->909 (-90)
  CWE-190 INT30-C: TP 403->403 (+0),  FP 291->261 (-30)
  CWE-191 INT32-C: TP 1151->1151 (+0), FP 810->738 (-72)
  CWE-191 INT30-C: unchanged
  CWE-369 / CWE-680: FP -24 / -12, TP +0 each (side benefit)
  228 FPs eliminated with no TP regression.

Status line update: v0.3.94-0.3.116in-progress2026-04-20T16:45:55Z2026-04-20T16:45:55Z9hes per-file macro aliases whose
   target is in `ENV03_TAINT_SOURCE_FUNCTIONS`. Juliet macro wrappers
   (`#define GETENV getenv`, `#define FGETS fgets`, etc.) are now
   caught, so callers of v65b-style sinks get correctly classified as
   tainted. New `taint_source_aliases: &[String]` parameter on
   `compute_summaries` / `analyze_function` carries the pre-filtered
   alias list without widening the existing `MacroConstantMap` contract.

Results: Juliet TP 24,478 → **24,542** (+64), FP 13,632 → **13,498**
(−134), TP rate 64.2% → **64.5%** (+0.3pp). Zero other-rule
regressions.
  - CWE-78 TP rate 87.7% → **90.3%** (+2.6pp). ENV33-C FP 50 → **0**,
    TP 1438 → 1514 (+76) — the macro-alias fix recovered TPs previously
    missed because `GETENV(data)` etc. didn't poison the caller's
    summary, so helper-sink suppression over-applied.
  - ENV03-C: FP 324 → 300 (−24), TP 620 → 628 (+8). Clean win from the
    same macro-alias recognition.
  - INT31-C: FP 1452 → 1392 (−60), TP 2142 → 2122 (−20). CWE-194 TP
    rate +1.5pp, CWE-195 +0.6pp.

Real-world (curl / sqlite / mosquitto / libcrc / hostap): zero delta
v0.3.98 → v0.3.102. The fix is Juliet-specific — function-pointer
tables in real-world code don't match Juliet's helper-sink shape, and
no real-world codebase in the set macro-wraps a taint source.

Remaining CWE-78 gap (~280 FP across ENV03-C 300 + STR02-C 140): v42
return-tainted `data = helper(data)` chains and v45 global-static
pointer reads still need return-value propagation and global-write
tracking respectively. The function-pointer edge lands variant 65;
variant 67 wasn't in the measured FP contributors this round.

## Sub-task 49D — STR02-C caller-aware suppression (DONE v0.3.103)

Port the ENV33-C task 49B template to STR02-C. Previously STR02-C
tainted every parameter by default ("params are external input") and
flagged any `system()` / `popen()` whose arg resolved to a tainted
variable — so every Juliet `_goodG2BSink(char *data) { popen(data); }`
produced an FP. New gate: suppress iff (a) the arg is a function
parameter, (b) the enclosing body has no direct taint-source call,
and (c) every transitive caller's summary has both
`has_env03_taint_source` and `returns_tainted` false. BFS with
visited-set handles variants 52c/53d/54e exactly like ENV33-C.

Threading the scope required passing `func_scope: &Node` through
`check_sinks` → `check_dangerous_function_call` →
`check_command_injection_risk`; `check_single_function` seeds it
from the current `function_definition`.

Reused existing infrastructure: STR02-C now owns a
`function_summaries` + `callers` RefCell pair populated from
`ProjectContext.call_graph` in `set_project_context`. No new summary
bits needed — the `has_env03_taint_source` + `returns_tainted` pair
from v0.3.99 / v0.3.102 covers exactly the shape STR02-C wants.

Results: Juliet TP 24,542 → **24,518** (−24), FP 13,498 → **13,358**
(−140), TP rate 64.5% → **64.7%** (+0.2pp). **5.83:1 FP:TP** — best
ratio in the task 49 series so far (prior bests 4.5:1 at 49A, 4.02:1
at 49B, 4.1:1 at task 67). Zero other-CWE regressions.
  - CWE-78 TP rate 90.3% → **94.8%** (+4.5pp). STR02-C FP 140 → **0**,
    TP 560 → 536 (−24). STR02-C now contributes zero FPs to CWE-78.
  - CWE-78 TP rate (94.8%) now **exceeds clang-tidy's 91.6%** on the
    overlapping-CWE competitor benchmark — CWE-78 is no longer a
    parity gap.
  - Remaining 140 CWE-78 FPs are all on ENV03-C: v42-style
    `data = helper(data)` chains (return-tainted propagation) and v45
    global-static pointer reads. STR02-C structurally can't hit these
    because its taint tracking starts from "params = tainted" rather
    than from externally-read buffers.

Real-world: not rerun. No new `FunctionSummary` fields; STR02-C
consumes the same bits that v0.3.102 already populates.

## Sub-task 49B — ENV33-C caller-aware suppression (DONE v0.3.101)

ENV33-C FP 500 → **50** (−450), TP 1550 → 1438 (−112). **4.02:1
FP:TP** — matches the task 49 umbrella 4:1 projection. CWE-78E-78 TP
rate 76.6% → **87.7%** (+11.1pp). Zero other-rule regressions.

Approach: mirror the ENV03-C task 68 / 49A pattern. Replace the
blanket "pointer parameter → flag" check with a caller-aware
transitive walk of the reverse call graph. Suppress iff every
reachable ancestor's summary has both `has_env03_taint_source` and
`returns_tainted` false. BFS with a visited set handles cycles and
multi-level forwarding chains (Juliet variants 52c/53d/54e have
intermediate clean pass-through sinks whose grand-caller holds the
recv/fgets).

Remaining gaps for CWE-78 (~50 ENV33-C FPs, plus ~324 ENV03-C FPs
and 140 STR02-C) and CWE-194/195 (~1224 INT31-C FPs):
  - Global/static pointer read tracking (v45-style `char *data =
    g_goodG2BData;` where `g_goodG2BData` was last written elsewhere)
  - Function-pointer cross-file calls (v65a/b, v67 variants — no
    call-graph edge for `funcPtr(data)`)
  - Extend the same clean-callee `rhs_is_safe` pattern to ENV33-C —
    same template as ENV03-C, likely similar 4:1 ratio (~500 FP
    candidates).
  - CWE-89 sinks: add SQL injection entry points (sqlite3_exec,
    mysql_query, PQexec) and the STR02-C or a new taint-sink rule.

Rule candidates that would benefit from the existing taint bits once
integrated: FIO30-C, STR02-C, FMT variants for format-string injection.

This task stays open as the coordinating umbrella; individual
rule-integration rounds are tracked as follow-ons to tasks 68/69/49A.


## Sub-task 113 — ENV03-C macro-value path check + CWE-426 caller-aware (DONE v0.3.113)

Replace ALL-CAPS heuristic in check_writes with macro-value absolute-path check
(is_safe_command_macro): GOOD_OS_COMMAND=/usr/bin/ls is safe, BAD_OS_COMMAND=ls is not,
and argument fragments like SAFE_CMD_ARGS=" -la" are also safe to strcat.
Add collect_string_literal_macros / is_safe_command_macro / is_relative_command_macro
to const_eval.rs; handles wide-string L"..." macros.
Add FunctionSummary.has_relative_command_write prescan bit: set when a function calls
strcpy/strcat with a macro expanding to a known relative-path command string.
callers_are_all_clean and call_is_clean now gate on both has_env03_taint_source AND
has_relative_command_write, blocking CWE-426 bad callers from passing the clean check.

Results: CWE-426 0 TP -> 132 TP / 0 FP; CWE-78 unchanged (2810 violations, 0 FPs).

Original status line: partial (v0.3.94-0.3.113 — tasks 67-69 + 49A/49B/49C/49D/113 delivered)

## Sub-task 115+116 — INT32-C/INT30-C goodG2B caller constant arg propagation (DONE v0.3.116)

Root cause: VRA initializes function parameters with full type range (e.g. [INT64_MIN, INT64_MAX])
even when ALL callers pass the same safe constant (e.g. data=2). So goodG2BSink(data=2) still
triggered data+1 may overflow because VRA could not prove the value was safe.

Fix (v0.3.115): Added callsite_param_const_int to FunctionSummary. prescan now walks each
function body to collect constant call-site arguments via collect_callsite_int_args_from_tree.
Two invalidation mechanisms: (1) pointer_expression &var in a call invalidates the variable
(fscanf pattern); (2) any non-literal assignment (data=LLONG_MAX, data=rand()) invalidates
the variable (v0.3.116 fix). aggregate_callsite_int_args stores param->const only when ALL
call sites agree. VRA then seeds [v,v] instead of full range. compute_vra_if_needed in
mod.rs runs this for same-file scans too.

v0.3.115 had TP -171 / FP -228 (+0.30pp) due to data=0LL followed by data=LLONG_MAX
leaving data=0 in map; v0.3.116 fixes by invalidating on any non-literal RHS assignment.

v0.3.116 CONFIRMED results (vs v0.3.114 baseline):
  Overall: TP +0 / FP -228 / TP rate +0.40pp — zero TP regression
  CWE-190 INT32-C: TP 1421->1421 (+0), FP 999->909 (-90)
  CWE-190 INT30-C: TP 403->403 (+0),  FP 291->261 (-30)
  CWE-191 INT32-C: TP 1151->1151 (+0), FP 810->738 (-72)
  CWE-191 INT30-C: unchanged
  CWE-369 / CWE-680: FP -24 / -12, TP +0 each (side benefit)
  228 FPs eliminated with no TP regression.

Status line update: v0.3.94-0.3.116partial2026-04-20T16:45:55Z2026-04-20T16:45:55Z;matches per-file macro aliases whose
   target is in `ENV03_TAINT_SOURCE_FUNCTIONS`. Juliet macro wrappers
   (`#define GETENV getenv`, `#define FGETS fgets`, etc.) are now
   caught, so callers of v65b-style sinks get correctly classified as
   tainted. New `taint_source_aliases: &[String]` parameter on
   `compute_summaries` / `analyze_function` carries the pre-filtered
   alias list without widening the existing `MacroConstantMap` contract.

Results: Juliet TP 24,478 → **24,542** (+64), FP 13,632 → **13,498**
(−134), TP rate 64.2% → **64.5%** (+0.3pp). Zero other-rule
regressions.
  - CWE-78 TP rate 87.7% → **90.3%** (+2.6pp). ENV33-C FP 50 → **0**,
    TP 1438 → 1514 (+76) — the macro-alias fix recovered TPs previously
    missed because `GETENV(data)` etc. didn't poison the caller's
    summary, so helper-sink suppression over-applied.
  - ENV03-C: FP 324 → 300 (−24), TP 620 → 628 (+8). Clean win from the
    same macro-alias recognition.
  - INT31-C: FP 1452 → 1392 (−60), TP 2142 → 2122 (−20). CWE-194 TP
    rate +1.5pp, CWE-195 +0.6pp.

Real-world (curl / sqlite / mosquitto / libcrc / hostap): zero delta
v0.3.98 → v0.3.102. The fix is Juliet-specific — function-pointer
tables in real-world code don't match Juliet's helper-sink shape, and
no real-world codebase in the set macro-wraps a taint source.

Remaining CWE-78 gap (~280 FP across ENV03-C 300 + STR02-C 140): v42
return-tainted `data = helper(data)` chains and v45 global-static
pointer reads still need return-value propagation and global-write
tracking respectively. The function-pointer edge lands variant 65;
variant 67 wasn't in the measured FP contributors this round.

## Sub-task 49D — STR02-C caller-aware suppression (DONE v0.3.103)

Port the ENV33-C task 49B template to STR02-C. Previously STR02-C
tainted every parameter by default ("params are external input") and
flagged any `system()` / `popen()` whose arg resolved to a tainted
variable — so every Juliet `_goodG2BSink(char *data) { popen(data); }`
produced an FP. New gate: suppress iff (a) the arg is a function
parameter, (b) the enclosing body has no direct taint-source call,
and (c) every transitive caller's summary has both
`has_env03_taint_source` and `returns_tainted` false. BFS with
visited-set handles variants 52c/53d/54e exactly like ENV33-C.

Threading the scope required passing `func_scope: &Node` through
`check_sinks` → `check_dangerous_function_call` →
`check_command_injection_risk`; `check_single_function` seeds it
from the current `function_definition`.

Reused existing infrastructure: STR02-C now owns a
`function_summaries` + `callers` RefCell pair populated from
`ProjectContext.call_graph` in `set_project_context`. No new summary
bits needed — the `has_env03_taint_source` + `returns_tainted` pair
from v0.3.99 / v0.3.102 covers exactly the shape STR02-C wants.

Results: Juliet TP 24,542 → **24,518** (−24), FP 13,498 → **13,358**
(−140), TP rate 64.5% → **64.7%** (+0.2pp). **5.83:1 FP:TP** — best
ratio in the task 49 series so far (prior bests 4.5:1 at 49A, 4.02:1
at 49B, 4.1:1 at task 67). Zero other-CWE regressions.
  - CWE-78 TP rate 90.3% → **94.8%** (+4.5pp). STR02-C FP 140 → **0**,
    TP 560 → 536 (−24). STR02-C now contributes zero FPs to CWE-78.
  - CWE-78 TP rate (94.8%) now **exceeds clang-tidy's 91.6%** on the
    overlapping-CWE competitor benchmark — CWE-78 is no longer a
    parity gap.
  - Remaining 140 CWE-78 FPs are all on ENV03-C: v42-style
    `data = helper(data)` chains (return-tainted propagation) and v45
    global-static pointer reads. STR02-C structurally can't hit these
    because its taint tracking starts from "params = tainted" rather
    than from externally-read buffers.

Real-world: not rerun. No new `FunctionSummary` fields; STR02-C
consumes the same bits that v0.3.102 already populates.

## Sub-task 49B — ENV33-C caller-aware suppression (DONE v0.3.101)

ENV33-C FP 500 → **50** (−450), TP 1550 → 1438 (−112). **4.02:1
FP:TP** — matches the task 49 umbrella 4:1 projection. CW
~6��)�6
�	��~~�E
�	555Eliminate compiler warnings (clean build generates noise)Clean build generates excessive warnings from stub rules, masking real issues. Root causes: unused imports in stub rules, missing allow attributes. Originally P0-001 in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:15Z2026-05-07T19:24:17Z2026-05-07T19:24:17Z
I
E�Y5Add mutex poisoning recoveryMultiple lock().unwrap() calls in src/progress.rs and src/rules/cert_c/integration.rs have no poisoning recovery. A thread panic while holding a lock cascades to crash the entire run. Originally P1-002 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:24Z��
U�+5Add TOML validation to build processbuild.rs merges individual rule TOML files but does not validate the output. Syntax errors, schema violations, and malformed fields go undetected until runtime. Originally P1-001 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:22Z�@|��c555EXP02-C: allow hardware-flag && countdown-decrement short-circuit pattern3 FPs in e_bms_primcu3124_scud — while((_iar2 & 0x04) && (--timeout)) pattern: left operand is hardware register flag check (volatile), right is bounded countdown --timeout. Short-circuit is intentional: if hw condition clears, timeout is not decremented. Same pattern documented in d_lib_common FP-016/FP-019. Fix: extend EXP02-C exemption to cover VOLATILE_FLAG_CHECK && (--counter) pattern, not just NULL_CHECK && fn_call.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z��A�m555PRE10-C: recognize do-while(0) wrapper spanning multiple lines with backslash continuation1 FP in e_bms_primcu3124_scud — IO_F_mcu_pwm macro (bms.h:211) correctly wrapped in do{...}while(0) but sqc flags it as unwrapped. The do-while spans multiple lines using backslash continuation. Fix: parse multi-line macro body with backslash continuations before checking for do-while wrapper pattern.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�w{�G�)555ARR39-C: do not flag sizeof-bounded loop when pointer type is u8*/uint8_t* (element size = 1)1 FP in e_bms_primcu3124_scud — sys.c:372: for(i=0;i<sizeof(bsm_data_log);i++) with (u8*)bsm_data_log.CELL_MAX+i. Pointer cast to u8* so +i advances exactly 1 byte. sizeof() and pointer step are in same unit. Fix: ARR39-C should not fire when pointer type is u8*/uint8_t* since element size is 1 byte and no scaling mismatch exists.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�k���#	5Every rule violation should report where and why it failedRules should include precise source location and human-readable explanation in their output. Originally P0-003 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:18Z�a�
o�#	5Optimize runtime performance on real repositoriesTool is too slow for practical use on real codebases. Needs profiling and optimization pass. Originally P0-002 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:17Z�u~�-�?555EXP15-C: do not fire on empty loop body when condition polls a volatile variable6 FPs in e_bms_primcu3124_scud — spin-poll busy-waits like while(_txif0==0); and while(!_hircf); flagged as likely accidental empty bodies. All are intentional hardware peripheral-ready/clock-stable polls. Also: sqc message says semicolon is 'on the same line' but it is consistently on the next line in this codebase. Fix: if loop condition operand is a volatile variable or has form while(volatile_var op constant), treat empty body as intentional and suppress EXP15-C.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�T}��555PRE07-C: do not flag trigraph sequences inside // or /* */ comments2 FPs in e_bms_primcu3124_scud — sys.c:319,340 have ?- sequences inside // comments where Chinese text is garbled/truncated (变量初始??? etc.). Even if it were a real trigraph (expands to ~), trigraphs in C99+ comments have no semantic effect. Fix: skip PRE07-C when the trigraph-like sequence appears inside a comment.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z
f..�
���;��M�
E�Y555Add mutex poisoning recoveryMultiple lock().unwrap() calls in src/progress.rs and src/rules/cert_c/integration.rs have no poisoning recovery. A thread panic while holding a lock cascades to crash the entire run. Originally P1-002 in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:24Z2026-05-07T19:31:22Z2026-05-07T19:31:22Z��
U�+5Add TOML validation to build processbuild.rs merges individual rule TOML files but does not validate the output. Syntax errors, schema violations, and malformed fields go undetected until runtime. Originally P1-001 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:22Z�@�
s�555Implement EXP34-C: Do not dereference null pointersHigh-priority CERT C rule (P18 severity). Requires scope-aware control-flow analysis — significant architectural work, estimated 25-60 hours. Originally P1-EXP34-C in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:32Z2026-05-07T19:24:17Z2026-05-07T19:24:17Z��	��E5Fix wiki parser to exclude output examples from test generationWiki scraper creates test .c files from runtime output blocks (not actual C code), producing unparseable test files. Example: MSC32-C tests/fail/wiki_posix_2.c. Parser needs to distinguish code examples from output documentation. Originally P2-WIKI-PARSER in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:40Z�
u�Y5Automate mod.rs rule registry generation in build.rsEvery new rule requires two manual edits to src/rules/cert_c/mod.rs (pub mod declaration + registry.register call). Should be auto-generated from d�e�
u�Y555Automate mod.rs rule registry generation in build.rsEvery new rule requires two manual edits to src/rules/cert_c/mod.rs (pub mod declaration + registry.register call). Should be auto-generated from directory scan in build.rs. Originally P2-AUTO-REGISTRY in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:37Z2026-05-07T19:25:40Z2026-05-07T19:25:40Z�M�
�555Implement FIO30-C: Exclude user input from format stringsHigh-priority CERT C rule (P18 severity). Requires interprocedural taint analysis framework — significant architectural work, estimated 40-60 hours. Originally P1-FIO30-C in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:33Z2026-05-07T19:24:17Z2026-05-07T19:24:17Z�M�
]�5Add folder nesting to interactive clientInteractive client should support navigating rules organized by folder/category. Originally P1-004 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:29Z�6�
O�k5Improve test debugging experienceGenerated test names are opaque, failure output lacks source location, debug prints get overwritten on rebuild. Need better linkage between failing test name, .c file, and CERT C wiki example. Originally P1-003 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:26Z%E7�������������������������~ytoje`[VQKE�z
G�1555Analysis capabilities roadmapDescription:
Track fundamental analysis limitations and potential improvements.

Details:
DONE. Updated docs/architecture.rst with comprehensive inventory of all 10
analysis modules, current capabilities table (17 entries), known limitations
table (8 entries with impact descriptions), per-CWE ceiling analysis, and
updated competitor landscape from 5-tool benchmark. Previous version was
heavily outdated (referenced "No VRA", "No whole-program analysis", 48% TP
rate — all now incorrect).

Original status line: done (v0.3.87)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�
%�Y5Docker imageDescription:
Containerized CI/CD distribution of sqc.

Details:
Dockerfile for sqc with all dependencies. Enables drop-in CI/CD usage without
local Rust toolchain installation. Part of Tier 2 production quality definition
of done.pending2026-04-20T16:45:55Z�K
I�Q555Inter-procedural .c test casesDescription:
Multi-file C test cases for prescan/call-site propagation.

Details:
DONE. Added 13 multi-file CLI integration tests exercising 4 cross-file
prescan capabilities:

  1. Callsite null propagation (EXP34-C): NULL arg detected across files,
     no detection without -d, safe caller not flagged. (3 tests)
  2. can_return_null (EXP34-C): unchecked nullable return detected,
     checked return safe. (2 tests)
  3. frees_params (MEM31-C): cross-file free suppresses leak, no
     suppression without -d, actual leak still detected. (3 tests)
  4. header_declared_functions (DCL15-C): header-prototyped functions
     suppressed, all flagged without -d. (2 tests)

  Fixtures: tests/fixtures/cli/{crossfile_callsite_null, crossfile_frees,
  crossfile_header}. Each scenario tests with-d, without-d, and safe
  variants.

Original status line: done (v0.3.87)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�
9�5DCL13-C alias trackingDescription:
Reduce DCL13-C FPs (12,138 real-world) via alias/points-to analysis.

Details:
Const correctness violations where pointer params flow through struct fields.
Example: ringbuffer.c:275 ptrBuffer — pointer stored into struct field, then
memset writes through struct member. Requires alias/points-to tracking.
Possible shortcut: if a pointer param is stored into a struct field, treat it
as potentially modified.

Original status line: deferredpending2026-04-20T16:45:55Z�
;�5MEM31-C ownership modelDescription:
Reduce MEM31-C FPs (5,440 real-world) via ownership tracking.

Details:
Cross-function ownership patterns (strdup -> struct field -> custom_Delete)
require an ownership model to track which function is responsible for freeing
allocated memory. New analysis capability, high effort.

Original status line: deferredpending2026-04-20T16:45:55Z�M
O�5MEM30-C field-level free trackingDescription:
Reduce MEM30-C FPs (15,330 real-world) via field-level free tracking.

Details:
Sequential struct/member frees and cross-function free propagation cause high
FP count. Requires field-level free tracking — a new analyf�
e�dzcsbnaj`h_e^c]a\^[[ZVYQXMWIVFUAT?S=R9Q5P2O.N'M LKJIHGF
EDA@
>0�
���>�z
G�1555Analysis capabilities roadmapDescription:
Track fundamental analysis limitations and potential improvements.

Details:
DONE. Updated docs/architecture.rst with comprehensive inventory of all 10
analysis modules, current capabilities table (17 entries), known limitations
table (8 entries with impact descriptions), per-CWE ceiling analysis, and
updated competitor landscape from 5-tool benchmark. Previous version was
heavily outdated (referenced "No VRA", "No whole-program analysis", 48% TP
rate — all now incorrect).

Original status line: done (v0.3.87)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�
%�Y5Docker imageDescription:
Containerized CI/CD distribution of sqc.

Details:
Dockerfile for sqc with all dependencies. Enables drop-in CI/CD usage without
local Rust toolchain installation. Part of Tier 2 production quality definition
of done.pending2026-04-20T16:45:55Z�K
I�Q555Inter-procedural .c test casesDescription:
Multi-file C test cases for prescan/call-site propagation.

Details:
DONE. Added 13 multi-file CLI integration tests exercising 4 cross-file
prescan capabilities:

  1. Callsite null propagation (EXP34-C): NULL arg detected across files,
     no detection without -d, safe caller not flagged. (3 tests)
  2. can_return_null (EXP34-C): unchecked nullable return detected,
     checked return safe. (2 tests)
  3. frees_params (MEM31-C): cross-file free suppresses leak, no
     suppression without -d, actual leak still detected. (3 tests)
  4. header_declared_functions (DCL15-C): header-prototyped functions
     suppressed, all flagged without -d. (2 tests)

  Fixtures: tests/fixtures/cli/{crossfile_callsite_null, crossfile_frees,
  crossfile_header}. Each scenario tests with-d, without-d, and safe
  variants.

Original status line: done (v0.3.87)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�
9�5DCL13-C alias trackingDescription:
Reduce DCL13-C FPs (12,138 real-world) via alias/points-to analysis.

Details:
Const correctness violations where pointer params flow through struct fields.
Example: ringbuffer.c:275 ptrBuffer — pointer stored into struct field, then
memset writes through struct member. Requires alias/points-to tracking.
Possible shortcut: if a pointer param is stored into a struct field, treat it
as potentially modified.

Original status line: deferredpending2026-04-20T16:45:55Z�
;�5MEM31-C ownership modelDescription:
Reduce MEM31-C FPs (5,440 real-world) via ownership tracking.

Details:
Cross-function ownership patterns (strdup -> struct field -> custom_Delete)
require an ownership model to track which function is responsible for freeing
allocated memory. New analysis capability, high effort.

Original status line: deferredpending2026-04-20T16:45:55Z�M
O�5MEM30-C field-level free trackingDescription:
Reduce MEM30-C FPs (15,330 real-world) via field-level free tracking.

Details:
Sequential struct/member frees and cross-function free propagation cause high
FP count. Requires field-level free tracking — a new analysis capability beyond
current architecture. Deferred until ownership model (task 9) or field-sensitive
analysis is implemented.

Original status line: deferredpending2026-04-20T16:45:55Z
�F��3�/}��55Paper — taint tracking for CWE-78/CWE-89 (future work)Description:
Expand cross-function taint tracking for injection CWEs,
  referenced in paper future work section.

Details:
Partial delivery via tasks 67-69 plus v0.3.99 (49A), v0.3.101 (49B),
v0.3.102 (49C), and v0.3.103 (49D). CWE-78 62.8% → **94.8%** (+32.0pp,
now exceeds clang-tidy), CWE-194 58.4% → **69.4%** (+11.0pp), CWE-195
48.7% → 52.5% (+3.8pp).

Delivered infrastructure:
  - `FunctionSummary.has_env03_taint_source` — body text scan for ~25
    taint sources (recv, fgets, scanf, getenv, Win32 I/O, etc.)
  - `FunctionSummary.returns_tainted` + `returns_from_callees`
    (v0.3.99, task 49A) — seeded from `has_env03_taint_source` on non-
    void returns, then propagated to fixpoint via
    `propagate_return_taint` so wrapper chains
    (`char *wrap() { return readIt(); }`) inherit the bit.
  - Reverse call graph built in each consuming rule from
    `ProjectContext.call_graph`.
  - Same-named static function merging in prescan (any tainted def
    poisons the merged summary; OR-merges both taint bits).

Rule integrations so far:
  - ENV03-C: parameter path → caller summary lookup (task 68); local
    command var `data = helper(...)` → callee clean-summary check
    (task 49A).
  - ENV33-C: pointer-parameter helper-sink path → transitive caller
    summary walk (task 49B). Mirrors ENV03-C task 68, with a BFS
    over the reverse call graph for Juliet variants 52c/53d/54e.
  - INT31-C: signed→size_t inside upper-bound guards → caller / callee /
    local-assignment summary lookups (task 69); `call_rhs_has_taint_source`
    now also treats `returns_tainted` callees as tainted (task 49A).
  - STR02-C: tainted-parameter → caller summary lookup (task 49D).
    Mirrors ENV33-C's BFS pattern; gated on "scope has no direct taint
    source" so local-recv paths stay flagging.

## Sub-task 49A — Return-value taint (DONE v0.3.99)

ENV03-C FP 468 → **324** (−144), TP 652 → 620 (−32). **4.5:1 FP:TP**
— cleanest ratio since task 67. CWE-78 TP rate 74.1% → **76.6%**
(+2.5pp). CWE-426 side benefit: FP −24 (1:1). Zero other-rule
regressions. INT31-C was neutral on Juliet; the wrapper pattern
exists in real-world code but Juliet CWE-194/195 v42 templates call
taint sources directly inside `badSource`, so the new transitive
bit had no additional TPs to catch there.

## Sub-task 49C — Function-pointer call graph + macro-aliased taint (DONE v0.3.102)

Two linked prescan fixes targeting Juliet v65a/b helper-sink variants.

1. `collect_callees` resolves function-pointer aliases. The function body
   is scanned once to build a local `pointer_var → target_function` map
   from init declarators (`void (*fp)(char *) = target;`) and later
   rebinds (`fp = target;`), then callees are emitted with aliases
   rewritten. Juliet v65a `caller → sink` edges are now first-class
   instead of landing as a `funcPtr` dead-end callee.

2. `has_env03_taint_source` also <�7
G�u5Paper — real bug case studyDescription:
Find and document a confirmed real defect in one of the 5
  open-source benchmark codebases detected by SqC but missed by cppcheck
  and clang-tidy.

Details:
Strongest paper contribution would be a confirmed bug (ideally with a CVE
or upstream fix) found by SqC.  Candidates:

  - EXP34-C on mosquitto (8,657 violations) — high volume, likely contains
    real null dereference paths.  Cross-reference with mosquitto's issue tracker.
  - ERR33-C on curl (unchecked return values) — curl has strict error handling
    conventions, violations may be real.
  - MEM30-C on any project — use-after-free is high-severity.

Process: run sqc on latest versions, export JSON, filter by high-severity
rules, manually verify top candidates, check if upstream has acknowledged
or fixed the issue.

Paper impact: new Section "Case Study" between Worked Example and Limitations.pending2026-04-20T16:45:55ZChes per-file macro aliases whose
   target is in `ENV03_TAINT_SOURCE_FUNCTIONS`. Juliet macro wrappers
   (`#define GETENV getenv`, `#define FGETS fgets`, etc.) are now
   caught, so callers of v65b-style sinks get correctly classified as
   tainted. New `taint_source_aliases: &[String]` parameter on
   `compute_summaries` / `analyze_function` carries the pre-filtered
   alias list without widening the existing `MacroConstantMap` contract.

Results: Juliet TP 24,478 → **24,542** (+64), FP 13,632 → **13,498**
(−134), TP rate 64.2% → **64.5%** (+0.3pp). Zero other-rule
regressions.
  - CWE-78 TP rate 87.7% → **90.3%** (+2.6pp). ENV33-C FP 50 → **0**,
    TP 1438 → 1514 (+76) — the macro-alias fix recovered TPs previously
    missed because `GETENV(data)` etc. didn't poison the caller's
    summary, so helper-sink suppression over-applied.
  - ENV03-C: FP 324 → 300 (−24), TP 620 → 628 (+8). Clean win from the
    same macro-alias recognition.
  - INT31-C: FP 1452 → 1392 (−60), TP 2142 → 2122 (−20). CWE-194 TP
    rate +1.5pp, CWE-195 +0.6pp.

Real-world (curl / sqlite / mosquitto / libcrc / hostap): zero delta
v0.3.98 → v0.3.102. The fix is Juliet-specific — function-pointer
tables in real-world code don't match Juliet's helper-sink shape, and
no real-world codebase in the set macro-wraps a taint source.

Remaining CWE-78 gap (~280 FP across ENV03-C 300 + STR02-C 140): v42
return-tainted `data = helper(data)` chains and v45 global-static
pointer reads still need return-value propagation and global-write
tracking respectively. The function-pointer edge lands variant 65;
variant 67 wasn't in the measured FP contributors this round.

## Sub-task 49D — STR02-C caller-aware suppression (DONE v0.3.103)

Port the ENV33-C task 49B template to STR02-C. Previously STR02-C
tainted every parameter by default ("params are external input") and
flagged any `system()` / `popen()` whose arg resolved to a tainted
variable — so every Juliet `_goodG2BSink(char *data) { popen(data); }`
produced an FP. New gate: suppress iff (a) the arg is a function
parameter, (b) the enclosing body has no direct taint-source call,
and (c) every transitive caller's summary has both
`has_env03_taint_source` and `returns_tainted` false. BFS with
visited-set handles variants 52c/53d/54e exactly like ENV33-C.

Threading the scope required passing `func_scope: &Node` through
`check_sinks` → `check_dangerous_function_call` →
`check_command_injection_risk`; `check_single_function` seeds it
from the current `function_definition`.

Reused existing infrastructure: STR02-C now owns a
`function_summaries` + `callers` RefCell pair populated from
`ProjectContext.call_graph` in `set_project_context`. No new summary
bits needed — the `has_env03_taint_source` + `returns_tainted` pair
from v0.3.99 / v0.3.102 covers exactly the shape STR02-C wants.

Results: Juliet TP 24,542 → **24,518** (−24), FP 13,498 → **13,358**
(−140), TP rate 64.5% → **64.7%** (+0.2pp). **5.83:1 FP:TP** — best
ratio in the task 49 series so far (prior bests 4.5:1 at 49A, 4.02:1
at 49B, 4.1:1 at task 67). Zero other-CWE regressions.
  - CWE-78 TP rate 90.3% → **94.8%** (+4.5pp). STR02-C FP 140 → **0**,
    TP 560 → 536 (−24). STR02-C now contributes zero FPs to CWE-78.
  - CWE-78 TP rate (94.8%) now **exceeds clang-tidy's 91.6%** on the
    overlapping-CWE competitor benchmark — CWE-78 is no longer a
    parity gap.
  - Remaining 140 CWE-78 FPs are all on ENV03-C: v42-style
    `data = helper(data)` chains (return-tainted propagation) and v45
    global-static pointer reads. STR02-C structurally can't hit these
    because its taint tracking starts from "params = tainted" rather
    than from externally-read buffers.

Real-world: not rerun. No new `FunctionSummary` fields; STR02-C
consumes the same bits that v0.3.102 already populates.

## Sub-task 49B — ENV33-C caller-aware suppression (DONE v0.3.101)

ENV33-C FP 500 → **50** (−450), TP 1550 → 1438 (−112). **4.02:1
FP:TP** — matches the task 49 umbrella 4:1 projection. CWE-78 TP
rate 76.6% → **87.7%** (+11.1pp). Zero other-rule regressions.

Approach: mirror the ENV03-C task 68 / 49A pattern. Replace the
blanket "pointer parameter → flag" check with a caller-aware
transitive walk of the reverse call graph. Suppress iff every
reachable ancestor's summary has both `has_env03_taint_source` and
`returns_tainted` false. BFS with a visited set handles cycles and
multi-level forwarding chains (Juliet variants 52c/53d/54e have
intermediate clean pass-through sinks whose grand-caller holds the
recv/fgets).

Remaining gaps for CWE-78 (~50 ENV33-C FPs, plus ~324 ENV03-C FPs
and 140 STR02-C) and CWE-194/195 (~1224 INT31-C FPs):
  - Global/static pointer read tracking (v45-style `char *data =
    g_goodG2BData;` where `g_goodG2BData` was last written elsewhere)
  - Function-pointer cross-file calls (v65a/b, v67 variants — no
    call-graph edge for `funcPtr(data)`)
  - Extend the same clean-callee `rhs_is_safe` pattern to ENV33-C —
    same template as ENV03-C, likely similar 4:1 ratio (~500 FP
    candidates).
  - CWE-89 sinks: add SQL injection entry points (sqlite3_exec,
    mysql_query, PQexec) and the STR02-C or a new taint-sink rule.

Rule candidates that would benefit from the existing taint bits once
integrated: FIO30-C, STR02-C, FMT variants for format-string injection.

This task stays open as the coordinating umbrella; individual
rule-integration rounds are tracked as follow-ons to tasks 68/69/49A.


## Sub-task 113 — ENV03-C macro-value path check + CWE-426 caller-aware (DONE v0.3.113)

Replace ALL-CAPS heuristic in check_writes with macro-value absolute-path check
(is_safe_command_macro): GOOD_OS_COMMAND=/usr/bin/ls is safe, BAD_OS_COMMAND=ls is not,
and argument fragments like SAFE_CMD_ARGS=" -la" are also safe to strcat.
Add collect_string_literal_macros / is_safe_command_macro / is_relative_command_macro
to const_eval.rs; handles wide-string L"..." macros.
Add FunctionSummary.has_relative_command_write prescan bit: set when a function calls
strcpy/strcat with a macro expanding to a known relative-path command string.
callers_are_all_clean and call_is_clean now gate on both has_env03_taint_source AND
has_relative_command_write, blocking CWE-426 bad callers from passing the clean check.

Results: CWE-426 0 TP -> 132 TP / 0 FP; CWE-78 unchanged (2810 violations, 0 FPs).

Original status line: partial (v0.3.94-0.3.113 — tasks 67-69 + 49A/49B/49C/49D/113 delivered)

## Sub-task 115+116 — INT32-C/INT30-C goodG2B caller constant arg propagation (DONE v0.3.116)

Root cause: VRA initializes function parameters with full type range (e.g. [INT64_MIN, INT64_MAX])
even when ALL callers pass the same safe constant (e.g. data=2). So goodG2BSink(data=2) still
triggered data+1 may overflow because VRA could not prove the value was safe.

Fix (v0.3.115): Added callsite_param_const_int to FunctionSummary. prescan now walks each
function body to collect constant call-site arguments via collect_callsite_int_args_from_tree.
Two invalidation mechanisms: (1) pointer_expression &var in a call invalidates the variable
(fscanf pattern); (2) any non-literal assignment (data=LLONG_MAX, data=rand()) invalidates
the variable (v0.3.116 fix). aggregate_callsite_int_args stores param->const only when ALL
call sites agree. VRA then seeds [v,v] instead of full range. compute_vra_if_needed in
mod.rs runs this for same-file scans too.

v0.3.115 had TP -171 / FP -228 (+0.30pp) due to data=0LL followed by data=LLONG_MAX
leaving data=0 in map; v0.3.116 fixes by invalidating on any non-literal RHS assignment.

v0.3.116 CONFIRMED results (vs v0.3.114 baseline):
  Overall: TP +0 / FP -228 / TP rate +0.40pp — zero TP regression
  CWE-190 INT32-C: TP 1421->1421 (+0), FP 999->909 (-90)
  CWE-190 INT30-C: TP 403->403 (+0),  FP 291->261 (-30)
  CWE-191 INT32-C: TP 1151->1151 (+0), FP 810->738 (-72)
  CWE-191 INT30-C: unchanged
  CWE-369 / CWE-680: FP -24 / -12, TP +0 each (side benefit)
  228 FPs eliminated with no TP regression.

Status line update: v0.3.94-0.3.116in-progress2026-04-20T16:45:55Z2026-04-20T16:45:55Z
�����f
M�555MEM31-C FP reduction for CWE-401Description:
Reduce MEM31-C FPs on CWE-401 (memory leak).
 CWE-401: 77.6% vs clang-tidy 83.9% (−6.3pp, 220 FP remaining)

Details:
DONE. MEM31-C: 786 TP/763 FP → 761 TP/220 FP (-543 FP, -25 TP, 21.7:1 ratio).
CWE-401 TP rate 50.7% → 77.6% (+26.9pp). Rule FP rate 49.3% → 22.4%.

  Three fixes:
  1. Prescan callee-frees-param: integrate FunctionSummary.frees_params.
  2. Transitive free propagation: param pass-through + fixpoint in prescan.
  3. If/else branch merge: UNION of freed memory from both branches.

  Remaining 220 FPs: switch constants, pointer-to-pointer, global variables.

Original status line: done (v0.3.86)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�-

E�555Binary distribution packagesDescription:
Generate AppImage, Windows .exe, .deb, and .rpm packages for sqc.

Details:
Packaging targets:
  - AppImage (Linux portable): use cargo-appimage or linuxdeploy with sqc binary +
    .desktop file + icon. Single self-contained executable for any Linux distro.
  - Windows .exe: cross-compile with x86_64-pc-windows-gnu or -msvc target.
    Optionally wrap in an MSI installer via cargo-wix.
  - .deb (Debian/Ubuntu): use cargo-deb. Include sqc binary in /usr/bin/,
    man page (task 52) in /usr/share/man/man1/, config examples in
    /usr/share/doc/sqc/. Set dependencies (libc6).
  - .rpm (Fedora/RHEL): use cargo-generate-rpm. Same file layout as .deb.

CI/CD integration: GitHub Actions matrix build with release artifacts uploaded
on tag push. Use cross for cross-compilation where needed.

Artifact bundle (per knots reference in ~/data/knots/.github/workflows/build.yml):
binary + LICENSE + THIRD_PARTY_LICENSES.txt + sqc.cdx.json (from task 71).done2026-04-20T16:45:55Z2026-05-07T19:21:05Z2026-05-07T19:21:05Z�
	
W�5Paper — finalization and submissionDescription:
Final paper revisions, formatting, and submission preparation.

Details:
Current state: paper/sqc.tex compiles to 10 pages, two-column, with 5 figures,
8 tables, and 11 references.  Uses plain article class.

Remaining items:
  - Update numbers when tasks 46-47 complete
  - Choose target venue and switch to appropriate template:
    * IEEE S&P / USENIX Security / ACM CCS (top tier, competitive)
    * NDSS / ACSAC (strong security venues)
    * IEEE SecDev / SCORED (tools-focused, better fit)
    * ICSME / ASE (software engineering, tool papers track)
  - Add Eric and Tristan's institutional affiliation if not BISSELL
  - Review by co-authors
  - Proofread and style consistency passpending2026-04-20T16:45:55Z
���0
m�w555INT30-C embedded guard/bound pattern recognitionDescription:
Reduce INT30-C FPs on bounded embedded arithmetic.

Details:
DONE. Work spread across v0.3.88, v0.3.89, v0.3.92, v0.3.93.

Patterns recognized across the four commits:

  1. **Bitmask wrapping** (`(x + 1) & MASK`): v0.3.88 via
     `is_addition_masked_by_bitand`. Applies to addition only — the mask
     bounds the result regardless of any wrap.
  2. **Narrow-pre-cast addition/multiplication**: v0.3.88 + v0.3.89 via
     `both_operands_narrow_pre_cast` /`is_narrow_cast_plus_small_const` /
     `is_narrow_cast_times_small_const` using `effective_operand_type`
     that peers through explicit casts to recover `uint8_t` / `uint16_t`.
  3. **(WIDE)(a - b) guarded by `a > b + POS`**: v0.3.89 via
     `is_cast_over_guarded_narrow_sub` + `cond_gt_b_plus_positive`.
  4. **Same-array subtraction / widened comparison**: covered by
     narrow-pre-cast + guarded-subtraction combination.
  5. **Wide-unsigned struct-field `++`/`--`** (`ctx->tick++`,
     `obj.seq--`): v0.3.92 direct skip in `check_increment_decrement`.
     Monotonic counter fields wrap at 2^32/2^64 and are benign; Juliet
     CWE-190/191 only exercises local-variable `++`, so no TP loss.
  6. **Thin calloc wrapper** (`calloc(nmemb, size)` where both args are
     function parameters): v0.3.92 via
     `calloc_args_are_function_params` — delegates overflow to C11
     calloc (§7.22.3.2).
  7. **Implicit-else early-exit guard** (`if (a < b) return; /* a - b */`):
     v0.3.92 via `preceding_early_exit_guards_subtraction` + the new
     `if_always_exits` helper.

Infrastructure fixes surfaced along the way:
  * v0.3.92: `get_function_arguments` now iterates named children, so
    `args[0]` is the real first argument instead of a `(` token. This
    unmasked a latent bug where malloc/realloc multiplication overflow
    detection was silently disabled and calloc messages read
    `calloc((, nmemb)`.
  * v0.3.93: dropped the dedicated malloc/realloc allocation-overflow
    check. `check_multiplication` already covers the inner `*` (with
    full VRA + SIZE_MAX-guard awareness), so the allocation-level check
    produced nothing but duplicate diagnostics and occasional FPs on
    provably-safe good-paths. Calloc keeps its dedicated check because
    its multiplication is implicit.
  * v0.3.92: `has_function_context_check` falls back to the translation
    unit for snippet-style tests without an enclosing function.

Empirical impact on target embedded codebases (INT30-C suppressions
stripped for measurement, -I include paths unchanged):
  d_lib_common:          1 → 0 INT30-C FPs
  d_lib_serial_leds:    12 → 8 INT30-C FPs
  d_lib_airpath:         2 → 2 (unchanged; bounded-shift compound
                                addition, see Remaining below)
  d_lib_networking:      0 → 0

Real-world (v0.3.91 → v0.3.93): **−187 INT30-C violations**
  curl:      -106   mosquitto:  -44
  sqlite:     -37   libcrc:       0

Juliet v0.3.93 vs v0.3.91: zero delta across all 74 CWEs (the v0.3.92
duplicate-diagnostic regression on CWE-680 was fully reversed by the
v0.3.93 dedupe).

Remaining serial_leds FPs need narrow-operand propagation through local
assignments (brightness arithmetic via `uint32_t range = (uint32_t)a -
(uint32_t)b` then `range * time`). Airpath FPs need shift-aware
effective-type recognition for compound accumulators (`ctx->ad_sum +=
(... >> SHIFT) + 1`). Both deferred — low FP count, risk of Juliet TP
regressions on CWE-190/191.

Original status line: done (v0.3.93)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
		�{
u�555EXP34-C null safety through if-guards and &stack_varDescription:
Reduce EXP34-C FPs where null safety is established by
 if-guard-with-early-return or &stack_variable callers (~16 FPs).

Details:
DONE. Patterns A and B were already fixed by cumulative EXP34-C work
(v0.3.82 AST-level null guard fallback, v0.2.20 &stack_var propagation).
Verified on all four target embedded codebases (d_lib_common,
d_lib_serial_leds, d_lib_networking, d_lib_airpath_debris_sensing):
zero EXP34-C FPs remain except one `Memory_Free(NULL)` wrapper case.

v0.3.90-0.3.91 broadened the fix to related idioms surfaced by the
realworld benchmark:

  1. `PARAM == 0` / `PARAM != 0` null-check detection (plus reversed-
     operand and all-spacing variants). sqlite/libcurl consistently use
     this idiom (e.g. `if(pStmt==0) return ...`) — previously unrecognized.
  2. EXP34-C: skip deref-function arg check when callee is in the
     null-safe list. `free(NULL)` and `realloc(NULL, n)` are defined
     per C11 7.22.3.3 / 7.22.3.5 — flagging them is incorrect.
  3. Alias null-check recognition: `TYPE *alias = param;` followed by
     a null-check on `alias` logically null-checks `param`. Common in
     libcurl wrappers (curl_easy_setopt, curl_multi_cleanup).

Benchmark (v0.3.89 → v0.3.91):
  Realworld: −321 violations total. EXP34-C −242, API00-C −79.
    sqlite −285, mosquitto −30, curl −3, libcrc −3, hostap 0.
  Juliet: TP −102 (all CWE-690 free() with potentially-null arg —
    by-design suppression, not a regression). FP unchanged.

Pattern C (callback `void *` params) remains open but is lower priority
(requires trust annotations or library modeling).

Original status line: done (v0.3.91)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
���
}�1555API00-C validation look-ahead past variable declarationsDescription:
Reduce API00-C FPs where parameter validation exists but
 is not detected due to intervening variable declarations (~12 FPs).

Details:
Three sub-patterns triaged:

  A. **Validation past var decls** — already handled pre-v0.3.97. The
     existing `check_validation_patterns` walks the entire body (not just
     the first N statements) and `collect_else_if_chain_validations`
     traverses full if/else-if/else chains, so cases like
     `Ringbuffer_read` (if/else-if/else with NULL checks after a
     `result_e result = …;` declaration) no longer FP. Verified on
     d_lib_common with API00-C suppressions stripped — zero FPs for this
     sub-pattern.

  C. **void\* container where NULL is valid** — implemented in v0.3.97.
     New type-aware suppression: a `void *` / `const void *` parameter
     that is never dereferenced locally (`*p`, `p->x`, `p[i]`) and
     passes through only to null-accepting stdlib sinks (free, realloc,
     Memory_Free, Memory_Realloc, cfree) or callees whose summary
     validates the corresponding argument is treated as a generic-
     container slot where NULL is a valid value.

     Helpers: `is_generic_void_pointer_type` (bare `void *`, rejects
     `void **` and array decls) + `is_void_ptr_storage_safe` (walks the
     body, collects every parent-kind, returns true only if every use is
     storage-like or a verified safe call).

     Results (Juliet v0.3.96 → v0.3.97):
       - API00-C: TP 90→84 (-6), FP 116→104 (-12). **2.0:1 FP:TP**.
       - CWE-476 TP rate 58.9% → **59.6%** (+0.7pp).
       - Overall TP rate unchanged at 63.4%.
       - Zero other-rule regressions.

     Real-world d_lib_common: 1 → 0 API00-C FP (ArrayList_Append).

  B. **Embedded API contract — no NULL check by design** (3 FPs in
     airpath, ~17 FPs in serial_leds). Deferred. All remaining real-
     world API00-C FPs are public-API functions that dereference `ctx`
     without validation by hardware-contract design (e.g.
     `DebrisSensor_AdcSample`, `SerialLeds_set_*`). No clean AST-level
     signal distinguishes these from genuine FPs — continuing to rely
     on `SQC-SUPPRESS: API00-C` at the function site. Options considered
     and rejected:
       * Skip all public API with `_set_` / `_Init` / `_update` prefixes
         — too broad; masks real bugs in other projects.
       * Require explicit header prototype + Doxygen `@pre` — no
         reliable way to parse `@pre` contracts from tree-sitter.
       * Switch API00-C severity to Low for non-static functions —
         doesn't reduce FP count, only its visibility.

Original status line: done (v0.3.97) — A already covered, C implemented, B deferreddone2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z

���
q�O555DCL19-C / DCL00-C scope and const-qualify FP fixesDescription:
Fix DCL19-C flagging public API functions and DCL00-C
 flagging loop counter variables (6 FPs in serial_leds).

Details:
DONE. Both fixes landed in v0.3.88 via commit 2c78eac2.

  A. **DCL19-C on public API** — `set_project_context` receives
     `header_declared_functions` from prescan; the "should be static"
     check now skips any function whose name appears in a header
     traversed via `-I`. serial_leds `SerialLeds_set`,
     `SerialLeds_set_rgb`, `SerialLeds_set_brightness`: 3 → 0.

  B. **DCL00-C on loop counters** — `is_in_for_loop_init` walks up
     the declaration's parent chain to detect when the declaration is
     itself the init clause of a `for_statement`. serial_leds
     `uint8_t g` across three for-loops: 3 → 0.

Original status line: done (v0.3.88)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�\
m�O555EXP02-C extended short-circuit guard recognitionDescription:
Extend EXP02-C guard pattern recognition beyond
 NULL_CHECK && fn_call to cover all common guard idioms (4 FPs).

Details:
DONE. Landed over two rounds.

v0.3.88 (task 64 initial): extended the NULL-guard exemption to `||`
and added `has_mutation_side_effects` so `p || (p = malloc(...))`
and `i++ > 10` still flag.

v0.3.98 (task 64 remaining): generalized the guard check from
null-specific substring matching to AST-based comparison detection.
`is_guard_pattern` now recognises any `binary_expression` whose
operator is `==`, `!=`, `<`, `>`, `<=`, or `>=`, plus compound
`&&` / `||` chains whose leaves are guards (recursive),
plus truthiness (bare identifier / `!x`) and parenthesized
wrappers. Combined with the preserved mutation check, the rule now
correctly suppresses:

  file_size > 0 && buflen >= file_size && fseek(...)
  self == NULL || IntSet_Contains(self, element)
  len == capacity && !growCapacity(self)
  arr->len == arr->cap && !ArrayList_growCapacity(arr)

while still flagging:

  p || (p = malloc(...))           — assignment in RHS
  a > 0 && ++count > 10            — update in RHS

Juliet: zero delta (all 4 EXP02-C tests still pass, CWE-taxonomy
totals unchanged). Real-world: EXP02-C delta below the top-5
per-rule threshold (task 64 targets d_lib_common, outside the
real-world benchmark set).

Original status line: done (v0.3.98)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�{
y�555MEM05-C / ARR32-C false VLA and stack allocation fixesDescription:
Fix false VLA detection and spurious stack allocation
 warnings (3 FPs across 2 codebases).

Details:
DONE. All three embedded FPs resolved by a single root-cause fix: the
MEM05-C VLA detector was text-matching `[...]` anywhere in a
declaration, so array subscripts inside initializers were
misclassified as variable-length sizes.

  1. **ARR32-C on header-defined constant** — `is_all_constant_expression`
     recursively walks binary_expression leaves, so
     `[MAX_LEDS * BYTES_PER_LED]` now passes as a constant expression
     when both identifiers are ALL_CAPS macros.
  2. **MEM05-C on array subscript** — `find_array_declarator_size`
     looks for an actual `array_declarator` node instead of bracket
     text, and `init_declarator`'s value field is explicitly skipped
     so `uint8_t x = arr[i]` is no longer a "VLA".
  3. **MEM05-C on 1-byte stack variable** — same AST-level fix. The
     "large stack allocation" message never fires; previous FPs were
     subscripts-in-initializers misclassified as VLAs. No size
     threshold was needed.

Empirical impact (serial_leds / airpath, suppressions stripped):
  serial_leds MEM05-C: 1 → 0
  serial_leds ARR32-C: 1 → 0
  airpath     MEM05-C: 1 → 0

Original status line: done (v0.3.88)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
����m
�_555ENV03-C locally-safe popen/system command var suppressionDescription:
Reduce ENV03-C FPs on Juliet CWE-78 goodG2B functions where
 the command variable is provably derived from string literals only.

Details:
DONE. ENV03-C FP 1272→612 (-660), TP 912→752 (-160). **4.1:1 FP:TP**,
cleanest ratio since v0.2.23.

Approach: new `is_command_var_locally_safe()` in env03_c.rs. Fixpoint over
char-array declarations and pointer aliases, then walks every write to the
command variable. Suppress only when every write is from a string literal,
a locally-initialized buffer, or strcat/strcpy with a literal source.

Short-circuits that still flag:
  - Direct string literal (defense-in-depth preserved for existing tests).
  - Function parameter (caller-supplied, handled by task 68).
  - Any taint-source call in scope (recv, fgets, scanf, getenv, etc.).

Required allowing macro-identifier initializers on char arrays — `char
buf[N] = FULL_COMMAND;` is legal C only for macros, so any identifier in
that position is treated as a literal.

CWE-78 TP rate 62.8% → 72.3% (+9.5pp). Overall TP rate 61.7% → 62.5%
(+0.8pp). Zero other-rule regressions.

Original status line: done (v0.3.94)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�v
e�555Miscellaneous embedded FP fixes (small wins)Collection of lower-count FPs that don't warrant individual tasks:

  1. **INT32-C sizeof(*ctx)** — DONE (v0.3.98)
  2. **INT33-C non-zero constant macro divisor** — DONE (v0.3.115)
  3. **DCL13-C direct call flagged as function pointer** (serial_leds 2 FPs): not reproducible in current scan
  4. **ARR00-C/ARR01-C bounded array access** (serial_leds 4 FPs): value-range-dependent, deferred
  5. **INT01-C protocol field types** (common 4 FPs): not appearing in current scan
  6. **DCL30-C struct member pointer** (serial_leds 1 FP): not appearing in current scan
  7. **INT00-C explicit uint32_t casts** (serial_leds 1 FP): not appearing in current scan
  8. **MEM30-C sequential frees** — DONE (v0.3.114)
  9. **EXP33-C for-loop init** — MOOT (sqc already handles correctly; code refactored to C99 style)
  10. **ARR36-C integer comparison** (common 1 FP): suppressed in d_lib_common, deferred

## Fix notes

### #1 INT32-C sizeof (v0.3.98)
check_memory_function_overflow early-returns when size arg is sizeof_expression.
INT32-C -239 realworld; Juliet zero delta.

### #8 MEM30-C sequential frees (v0.3.114)
is_freed() union_members loop: strip_prefix + check remainder starts with -> or .
Avoids matching base var itself. Juliet: zero delta. Fixes d_lib_common arraylist.c FP.

### #9 EXP33-C for-loop init — MOOT
sqc CFG puts for-loop initializer in pre-header block before first read.
d_lib_common intset.c refactored to C99 style anyway; no FP in current scan.

### #2 INT33-C non-zero constant macro divisor (v0.3.115)
is_divisor_checked() fast-path: try_evaluate_expr() + file_macros.
Non-zero integer constant macro (BRIGHTNESS_MAX=255) suppresses violation.
Requires -d prescan for cross-file header macros. Fixes 3 FPs in d_lib_serial_leds.
Juliet CWE-369: zero delta.done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-30T00:24:48Z
t	�t���555INT31-C taint-aware suppression for signed→size_t conversionsDescription:
Reuse ENV03-C's taint-source summary bit to suppress
 INT31-C FPs on Juliet CWE-194/195 helper-function variants.

Details:
DONE. INT31-C FP 2172→1452 (-720), TP 2608→2142 (-466). 1.54:1 FP:TP.

Approach: when the converted variable is inside an `if (var < LIT)`
upper-bound guard (positive literal), suppress iff:
  * the containing function's summary has no taint source, AND
  * no `var = fn(...)` assignment targets a tainted callee, AND
  * for parameters, every caller is taint-free too.

Local-variable case additionally requires evidence of at least one
call-return assignment from a clean callee — prevents over-suppression
of v45-style `int data = global_static;` reads where the global could
have been tainted elsewhere in the project.

Substring bug trap: `decl_text.contains(var_name)` matched `dataBuffer`
when looking for `data`. Fixed by walking the declarator tree to its
leaf identifier for an exact match.

Results: CWE-194 TP rate 58.4% → **67.9%** (+9.5pp). CWE-195 TP rate
48.7% → 51.9% (+3.2pp). Overall TP rate 62.7% → **63.4%** (+0.7pp).
Zero other-rule regressions.

Remaining INT31-C FPs are in v42-style `data = helper(data)` returning
tainted values, v45-style global pointers, and v65a/b function-pointer
cross-file patterns (no call-graph edge). Function-pointer and
return-value taint would be the next wins if pursued.

Original status line: done (v0.3.96)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z�u
w�w555ENV03-C cross-function taint for helper-sink variantsDescription:
Suppress ENV03-C FPs in Juliet CWE-78 variants 41-45 where
 the popen/system call lives in a helper function receiving data as a
 parameter.

Details:
DONE. ENV03-C FP 612→468 (-144), TP 752→652 (-100). 1.44:1 FP:TP —
diminishing returns as the remaining target shrinks.

New infrastructure:
  * `FunctionSummary.has_env03_taint_source` bit — populated via body
    text scan for recv/fgets/scanf/getenv-style calls (~25 functions).
  * ENV03-C parameter path consults reverse call graph (callee → callers)
    built from `ProjectContext.call_graph`. Suppress only when every
    caller's summary is clean.

Prescan bug fix (affects other inter-procedural rules too):
  * `collect_call_graph` used `.insert()`, so multiple files with `static
    void goodG2B()` overwrote each other and dropped caller edges.
    Changed to `.entry().or_default().extend()` for call edges, and
    OR-merge for `has_env03_taint_source`. Same-named static merging is
    conservative (any tainted def poisons the merged summary).

Results: CWE-78 TP rate 72.3% → 74.1% (+1.8pp). Overall TP rate 62.5% →
62.7% (+0.2pp). Side effect: EXP34-C -6 FP / 0 TP (prescan merging
recovered a few missed caller links).

CWE-426 (Untrusted Search Path): -24 TP / -24 FP — neutral. Remaining
~468 ENV03-C FPs are v42/v22a-style (`data = helper(data)` return-tainted
assignments) and v45-style (global-static pointers) — need return-value
taint or global-write tracking to shrink further.

Original status line: done (v0.3.95)done2026-04-20T16:45:55Z2026-04-20T16:45:55Z2026-04-20T16:45:55Z
�
4��x
_�555Third-party licensing and SBOM generationDescription:
Generate THIRD_PARTY_LICENSES.txt (cargo-about) and a
 CycloneDX SBOM (cargo-cyclonedx) on every release build, following
 the knots pattern.

Details:
Port the knots setup (~/data/knots/about.toml, ~/data/knots/about.hbs,
and the licensing/SBOM steps in ~/data/knots/.github/workflows/build.yml)
into sqc once the repo is on GitHub.

Files to add:
  - `about.toml` — cargo-about license allowlist. Start from the knots
    set: MIT, Apache-2.0 (+ LLVM-exception), BSD-2/3, ISC, Unicode-3.0,
    Unicode-DFS-2016, Zlib, 0BSD, MPL-2.0, CC0-1.0.
  - `about.hbs` — Handlebars template for THIRD_PARTY_LICENSES.txt
    (one block per license with `used_by` crate list + verbatim text).
  - `LICENSE` or `LICENSE-MIT` + `LICENSE-APACHE` — per task 70
    decision.

GitHub Actions steps (on release / tag push):
  - `cargo install cargo-about --locked`
  - `cargo about generate about.hbs -o THIRD_PARTY_LICENSES.txt`
  - `cargo install cargo-cyclonedx --locked`
  - `cargo cyclonedx --format json --spec-version 1.5`
    → produces `sqc.cdx.json`.

Artifact integration:
  - Stage `THIRD_PARTY_LICENSES.txt` and `sqc.cdx.json` alongside the
    binary in the release artifact bundle (task 53).
  - In deb/rpm/AppImage: install to
    `/usr/share/doc/sqc/{THIRD_PARTY_LICENSES.txt,sqc.cdx.json}`
    and `LICENSE` → `copyright` (deb) / `%license` (rpm).

Optional pre-commit / PR check: run `cargo about generate` in CI
without output redirection so a new dependency with a disallowed
license fails the build before merge.done2026-04-20T16:45:55Z2026-05-07T19:21:05Z2026-05-07T19:21:05Z�I
[�;555Migrate sqc from Azure DevOps to GitHubDescription:
Move the sqc repository from ADO to GitHub. Prerequisite for
 any release workflow, external contribution, or public paper artifact.

Details:
sqc is currently hosted on Azure DevOps. Moving to GitHub unblocks:
  - GitHub Actions release workflows (task 53 binary distribution,
    task 71 licensing/SBOM).
  - `sqc-analysis.yml` (already checked in) — SARIF upload to GitHub
    Code Scanning requires the repo to live on GitHub.
  - External visibility for the paper (task 51) and public bug
    reports against real-world benchmark targets (task 47).

Decisions needed before the move:
  - **Licensing.** `Cargo.toml` declares `MIT OR Apache-2.0` but no
    LICENSE file is checked in. Decide between dual-license (ship
    `LICENSE-MIT` + `LICENSE-APACHE`, Rust convention) or pick one.
    Outcome feeds task 71 artifact layout.
  - **Repo name + org** (personal vs. corporate).
  - **History sanitization.** Review for internal paths, proprietary
    codebase references, or customer-specific fixtures that should
    not become public.
  - **Issue / proposal transfer.** AGENTS/PROPOSALS and planning docs
    can move with the repo; ADO work-item history probably cannot.

Move mechanics: mirror-clone ADO repo with full history, push to the
new GitHub remote, archive the ADO project (read-only) for a transition
period, redirect any CI hooks.done2026-04-20T16:45:55Z2026-05-07T19:21:05Z2026-05-07T19:21:05Z
�Td���
+�555Release v0.2.17[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- EXP34-C Phase 3: MEM10-C positive guard suppression (-38 FP). API02-C
  `const wchar_t *` exclusion. API00-C caller-aware suppression via function
  summaries. Prescan local variable tracking for callsite null state resolution.
- CWE-476: TP 313 -> 320 (+7), FP 542 -> 512 (-30), rate 36.6% -> 38.5%.
- CWE-690 bonus: +36 TP, -63 FP.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�2
+�=555Release v0.2.16[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- EXP34-C Phase 2: call-site null propagation. Call-site flagging for
  DefinitelyNull args. Callee param seeding via `infer_arg_null_state()`.
  Multi-pass aggregation with lattice join.
- CWE-476: +19 TP, +17 FP (rate 35.9% -> 36.6%).done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�m
+�3555Release v0.2.15[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- EXP34-C Phase 1: CFG-based null state dataflow (`src/analyze/null_state.rs`).
  Forward dataflow with NullState lattice. EXP34-C rewritten from ~1200-line
  linear walk to CFG-based analysis.

### Fixed

- MEM10-C: parameter-only null check fix (-106 FP on CWE-476).
- d_lib_common FP round 2: resolved all 17 FP patterns (~51 violations). Key
  fixes: FIO46-C source-order stream tracking, INT32-C field_expression skip,
  FLP03-C scientific notation, EXP12-C parent-check, INT01-C sizeof skip.
- Juliet: -10,678 FP (-5.4%), TP rate 44.7% -> 44.2%.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�)
+�+555Release v0.2.13[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- INT31-C implicit narrowing assignment detection:
  `check_assignment_conversion()` for `init_declarator` and
  `assignment_expression`. Type width comparison with FP suppressions
  (double-flag, validated vars, bounds-check, literal-fits, bitmask).

### Fixed

- DCL19-C: `STATIC` macro recognition.
- INT32-C: skip unsigned operands in binary overflow checks.
- DCL15-C: skip functions with prototypes in `.h` headers.
- INT36-C: exclude struct field access and array subscript.
- PRE31-C: skip string literal arguments from side-effect analysis.
- EXP30-C: recognize `x = f(x)` as safe.
- INT30-C: detect `if (var > 0)` guard before unsigned decrement.
- DCL07-C/31-C: skip indirect calls and preprocessor-guarded blocks.
- Juliet: 44.6% -> 44.7% TP rate, -13,961 FP (-6.6%).

### Changed

- Prescan: `linkage_specification` (`extern "C" {}`) traversal in all walkers.
  `pointer_declarator` handling for pointer-returning prototypes.
  `header_declared_functions` field in `ProjectContext`.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z
�L]-���h 
)�+555Release v0.3.3[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- POS49-C: `is_local_variable()` skips stack-local struct member assignments.
- EXP12-C: `connect() != 0` in binary_expression not flagged.
- INT30-C: `is_literal_one()` strips unsigned/long suffixes.
  `is_preceded_by_increment()` checks for `var++`/`++var`/`var += 1` before
  subtraction.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�#
+�555Release v0.2.25[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- STR04-C: binary buffer skip, only flag `unsigned char` arrays with string
  literal evidence.
- INT18-C: uint64_t recognition via `type_identifier` nodes.
- EXP05-C: AST-based const detection replacing text-based check.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�-
+�3555Release v0.2.22[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Fixed

- ARR02-C: skip implicit bounds check for string-literal-initialized arrays.
- POS02-C: removed `socket`/`setsockopt` from privileged operations.
- PRE31-C: strip string literal content before function-call pattern checks.
- MEM05-C: ALL_CAPS macro constant VLA detection + word-boundary recursion
  matching.
- INT32-C: `is_inside_bounds_checked_block()` extended to while/for statements.
  `extract_mutation_target()` ensures loop-bounded variable matches operation.
- INT30-C: skip subtraction when either operand is `uint64_t`.
- Const-eval: `ValueRange::shl()` clamps negative shift-amount lower bounds
  to 0.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�l
+�1555Release v0.2.21[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- Const-eval / value-range analysis module (`src/analyze/const_eval.rs`, ~550
  lines). `MacroConstantMap` for `#define` constant collection.
  `ValueRange { min, max }` interval arithmetic. `try_evaluate_expr()` /
  `try_evaluate_range()` for recursive AST constant folding.
  `extract_loop_var_ranges()` for loop bounds. Integrated with INT32-C and
  INT30-C.

### Fixed

- Benchmark measurement: analysis script now outputs all rules (previously top
  10 only). 16 existing runs reanalyzed. Eliminated phantom regressions from
  top-10 truncation.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�1
+�;555Release v0.2.20[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- `-I`/`--include-path` flag: pre-pass extracts `#include` directives, resolves
  against search paths. Transitive include resolution with cycle prevention.

### Fixed

- MSC37-C: `STATIC void` macro prefix, `has_void_specifier()` scans all
  children for `void`.
- INT36-C: `(void)` discard cast, bare `void` no longer matched as pointer
  type.
- PRE02-C: trailing comment stripping in macro values.
- ERR33-C: `(void)` cast recognized as intentional discard.
- CON03-C: skip `const`-qualified variables and synchronization primitive types.
- DCL30-C: scalar value copy through pointer no longer flagged as address
  escape.
- FIO47-C: snprintf argument count corrected (subtract 3, not 1).
- EXP37-C: init_declarator skip for K&R-style declarations.
- API00-C: skip static functions + caller-aware suppression via NotNull.
- INT01-C: eliminated double-visit dedup fix (-3 duplicate violations).
- EXP34-C: array declarations tracked as NotNull in prescan.
- Juliet: -2,720 FP, TP rate 44.1% -> 44.2%.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z
Hk5	���H�k'
+�/555Release v0.3.18### Added

- Fast benchmark mode: `generate_rule_cwe_map.py` generates 147 per-CWE
  manifest TOMLs. `run_juliet_parallel.sh --fast` uses per-CWE manifests.
  CWE-476 validation: noise 61.8% -> 0%, TP rate 39.5% -> 46.5%.
- INT31-C: `check_call_argument_conversion()` detects signed integer variables
  passed to functions expecting `size_t`. Covers 20 standard library functions.
  Suppressions for explicit cast, sizeof, literals, bounds check, non-negative
  guard.

### Fixed

- Various false positive reduction improvements.done2026-04-20T16:58:08Z2026-03-14T00:00:00Z2026-03-14T00:00:00Z�$&
+�!555Release v0.3.17### Added

- `collect_macro_aliases()` in const_eval.rs for `#define ALIAS identifier`
  patterns. ENV33-C, ENV03-C, STR02-C resolve aliases before matching dangerous
  functions. Windows exec/spawn variants added to ENV33-C.
- ERR33-C CWE-253: validates comparison correctness for functions classified by
  `ErrorReturnKind` (NullPointer, NegativeInt, Eof, NonZero, Count). Macro
  alias resolution + wchar_t variants. CWE-253: 178 TP, 0 FP, 100% precision.done2026-04-20T16:58:08Z2026-03-12T00:00:00Z2026-03-12T00:00:00Z�4%
+�A555Release v0.3.15### Added

- CWE-aware scoring system: 5 new metrics (FLAW-line hit rate, CWE-matched TP
  rate, per-file detection rate, noise ratio, incidental TP/FP).
  `generate_rule_cwe_map.py` produces `data/rule_cwe_map.json` (117 rules to
  144 CWEs). Integrated into analysis pipeline.
- CWE-124, CWE-126, CWE-127 mappings for ARR30-C, ARR38-C, STR31-C.done2026-04-20T16:58:08Z2026-03-12T00:00:00Z2026-03-12T00:00:00Z�$
+�]555Release v0.3.14### Fixed

- Juliet regression investigation: full-suite benchmark 126,106 TP, 158,036 FP,
  44.4% TP rate. Confirmed regression is cumulative effect of individually
  correct suppressions. Discovered scoring methodology issues (off-by-one in
  FLAW-line matching, incidental noise scored as TP).done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�#
+�555Release v0.3.13[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- EXP34-C multi-pass prescan propagation: `propagate_param_null_states()`
  resolves relay chains across function call hierarchies.

### Fixed

- EXP33-C for-loop init recognition: `has_preceding_assignment_in_block()` walks
  ancestor scopes. `for_init_assigns_var()` recognizes init clauses as
  dominating assignments. Handles `for (i = 0; ...)`, `for (int i = 0; ...)`,
  and comma expressions.
- INT30-C: `is_subtraction_guarded_by_comparison()` detects `if (a >= b) { a -
  b }` patterns. Supports `>=`, `>`, `<=`, `<` and compound `&&` conditions.
  Generalized `1U`/`1u` suffix handling.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�3"
)�A555Release v0.3.8[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- API00-C: 4 new validation patterns for parameter checking.

### Fixed

- STR31-C: gated string-literal suppression on `!is_function_parameter()` in
  `check_strcpy_safety` and `check_strcat_safety`. Fixed
  `check_sequential_strcat_overflow` to scan only current function's line range.
- EXP33-C: field/subscript write no longer treated as read (-576 FP, -299 TP).done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z�!
)�555Release v0.3.5[Release date not recorded in CHANGELOG — inherited 2026-03-11 from next-newer dated release]

### Added

- Struct field type resolution: prescan collects struct definitions into
  `struct_field_types` in `ProjectContext`. `infer_type()` resolves
  `field_expression` types. Integrated with INT32-C and INT30-C.done2026-04-20T16:58:08Z2026-03-11T00:00:00Z2026-03-11T00:00:00Z
U�'
�gluU�.
+�555Release v0.3.25### Added

- EXP33-C ALLOCA/alloca tracking: `alloca()` and `ALLOCA()` allocations treated
  as uninitialized memory. +52 new TPs.

### Fixed

- EXP33-C conditional init heuristic: broadened from incomplete conditionals to
  any conditional body. New `inits_share_conditional` check. +18 new TPs.
- INT31-C VRA improvement: CWE-194 TP rate 41.7% -> 56.8% (+15.1pp, -310
  FP/-31 TP).
- Juliet (68/68 CWEs): 8,420 TP / 9,371 FP, 47.3% TP rate (+0.6pp).done2026-04-20T16:58:08Z2026-03-20T00:00:00Z2026-03-20T00:00:00Z�t-
+�A555Release v0.3.24### Added

- VRA Phase 5: inter-procedural return ranges. `FunctionSummary` gains
  `return_range: Option<ValueRange>` computed during prescan. VRA transfer
  function resolves `call_expression` RHS using callee return range.
- VRA Phase 6: INT31-C migration. Full VRA integration for
  signed->unsigned, unsigned->signed, and narrowing casts. VRA-based range
  narrowing supplements syntactic `is_inside_bounds_checked_block()`.

### Changed

- Prescan reordered: macro constants collected before function summaries.
- Juliet (67/68 CWEs): 7,393 TP / 8,433 FP, 46.7% TP rate (+2.4pp vs
  v0.3.21). ~6x speedup on large non-VRA CWEs via `compute_return_ranges` flag.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�x,
+�I555Release v0.3.23### Added

- CFG-based forward value-range analysis (`value_range.rs`). Worklist algorithm
  with interval lattice, edge refinement for all comparison/compound operators,
  type-aware initial ranges, widening after 3 back-edge iterations. Computed
  once per file per function, shared across rules via `set_vra_results()`.

### Changed

- INT33-C: `divisor_provably_nonzero()` tries VRA first, falls back to
  syntactic analysis.
- INT34-C: `check_shift_operation()` tries VRA first for shift amount range.
- INT32-C: all 6 `expression_fits_in_signed` call sites use VRA-backed version.
- INT30-C: all 4 `expression_fits_in_unsigned` call sites use VRA-backed
  version.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�+
+�555Release v0.3.22### Fixed

- ARR38-C: function-scoped alias resolution prevents cross-function
  contamination. Skip heuristic checks when buffer size is verified. CWE806:
  function-scoped `find_content_size_in_function()` tracks `memset(var, char,
  N)`. -183 CWE806 FP, -69 CWE805 FP.
- ARR30-C: multi-assignment constant resolution via
  `try_resolve_variable_to_constant`. Extract only condition from AST instead
  of searching full if-body text. -67 CWE129 FP.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�*
+�555Release v0.3.21### Added

- CWE-121/122 buffer overflow detection: ARR30-C gains literal loop bounds,
  ALLOCA tracking, pointer alias tracking. ARR38-C gains ALLOCA detection,
  strlen/wcslen overflow, snprintf variants, pointer alias resolution,
  N*sizeof(type) parsing.
- Juliet: CWE-121 39.3% -> 39.9% TP rate, CWE-122 41.7% -> 36.6%.done2026-04-20T16:58:08Z2026-03-19T00:00:00Z2026-03-19T00:00:00Z�`)
+�555Release v0.3.20### Changed

- Benchmark infrastructure overhaul: new `bench/` package replaces shell scripts
  with Python runner + SQLite. `bench/runner.py` with `ProcessPoolExecutor`,
  `bench/analyzer.py` for TP/FP classification, `bench/db.py` with 7-table
  schema in WAL mode. MCP server updated to query SQLite first with legacy
  fallback. `scripts/backfill_juliet_results.py` imported 21 Juliet + 7
  real-world runs. Fast mode default with resume support.
- First 68-CWE fast benchmark: 8,413 TP / 10,484 FP, 44.5% TP rate.done2026-04-20T16:58:08Z2026-03-18T00:00:00Z2026-03-18T00:00:00Z�s(
+�?555Release v0.3.19### Fixed

- ENV03-C: function-scoped clearenv() checks sanitization per-function instead
  of file-level.
- STR02-C: intra-function taint tracking (recv, fgets, fgetws, scanf, getenv,
  etc.) with cast handling and propagation.
- CWE-78 precision: 42.0% -> 45.5%, FP -330, TP -78.done2026-04-20T16:58:08Z2026-03-15T00:00:00Z2026-03-15T00:00:00Z
����G2
+�g555Release v0.3.30### Fixed

- EXP34-C: replaced lattice join in `aggregate_callsite_null_states()` with
  count-based voting. One PossiblyNull callsite no longer poisons parameters
  with 50 NotNull callers. EXP34-C: 26,457 -> 5,290 (-80.0%) across 5
  real-world codebases.
- Juliet: 8,285 TP / 9,180 FP, 47.4% TP rate. CWE-690 TP rate 83.8% -> 94.3%
  (+10.5pp). Zero regressions.done2026-04-20T16:58:08Z2026-03-22T00:00:00Z2026-03-22T00:00:00Z�q1
+�;555Release v0.3.28### Added

- `--save-prescan FILE` / `--load-prescan FILE` CLI flags for
  serializing/deserializing `ProjectContext` to binary cache (bincode format).
  Cache sizes: ~3.6 MB for hostap (12K functions), ~2.4 MB for sqlite.
  Per-worker speedup: hostap 11.2s -> 0.8s (93%), sqlite prescan 866s -> 0s.
  New dependency: `bincode = "1.3"`.
- Persistent prescan cache at `data/prescan_cache/{codebase}.cache` with
  `--rebuild-prescan` flag for regeneration.

### Changed

- Parallel scanner: balanced subdirectory splitting via recursive
  `find_scan_units()`, prescan cache integration, prescan timeout increased
  600s -> 1800s, graceful `TimeoutExpired` fallback.done2026-04-20T16:58:08Z2026-03-21T00:00:00Z2026-03-21T00:00:00Z�10
+�;555Release v0.3.27### Added

- `rules-benchmark.toml` manifest with 13 style/recommendation rules disabled
  (zero Juliet CWE contribution, ~114K realworld violations): EXP19-C, DCL08-C,
  DCL06-C, EXP02-C, EXP14-C, EXP12-C, EXP10-C, DCL04-C, INT02-C, INT01-C,
  INT17-C, INT16-C, PRE31-C.
- Parallel sqc scanner (`scripts/sqc_parallel_scan.py`): splits codebases by
  subdirectory, runs multiple sqc processes via `ProcessPoolExecutor`,
  auto-detects parallelism, deduplicates merged JSON outputs.

### Fixed

- POS49-C: restricted from all shared struct field writes to only actual
  bit-field writes. `collect_bitfield_names()` identifies fields with
  `bitfield_clause`. 15,693 -> 107 violations (-99.3%).

### Changed

- All benchmark infrastructure updated to use `rules-benchmark.toml`.
- MCP realworld server uses parallel scanner with `rebuild_prescan` parameter.done2026-04-20T16:58:08Z2026-03-21T00:00:00Z2026-03-21T00:00:00Z�l/
+�1555Release v0.3.26### Fixed

- EXP33-C: conditional init early-return detection. If/else-if/else chains
  where non-initializing branches have unconditional exits no longer flag as
  uninitialized. New `if_chain_covers_init_or_exit()` analysis.
- ERR33-C (CWE-253): `== 0` for NonZero functions and Count functions no longer
  incorrectly flagged.
- FIO47-C: fixed 100% FP rate (0 TP, 119 FP -> 0 FP). Root cause:
  `count_arguments()` miscounted non-data args for `sprintf`/`sscanf`/`dprintf`.
  Relaxed format validation: `%lf` valid in C99+, removed `'` flag and
  `+/space` with `%o/%u/%x` checks.
- PRE00-C: restricted from all function-like macros to only macros with
  multi-evaluation risk or side effects.
- EXP34-C: pointer function parameters default to NotNull when no
  inter-procedural call-site data exists.
- Juliet: 8,390 TP / 9,252 FP, 47.6% TP rate (+0.3pp). FIO47-C: 119 FP -> 0.
  CWE-134 TP rate 33.4% -> 47.9% (+14.5pp).
- Real-world: -5,366 violations (-1.5%). PRE00-C -4,274, EXP34-C -1,758.
  Cumulative from v0.3.5: -48,086 (-11.9%).done2026-04-20T16:58:08Z2026-03-20T00:00:00Z2026-03-20T00:00:00Z

���
5
+�m555Release v0.3.33### Changed

- EXP33-C: complete rewrite from AST-walk to CFG-based forward dataflow
  analysis. New `init_state.rs` (~1,200 lines) with `InitState` lattice (5
  states: `Uninitialized`, `MaybeUninitialized`, `Initialized`,
  `MallocUninitialized`, `MallocInitialized`), forward worklist algorithm, and
  point queries via `get_var_info_at()`. New capabilities: branch-sensitive
  analysis, loop-aware array init, malloc content tracking, realloc wrapper
  detection, conditionally-initializing function detection, ~30 initializing
  functions with per-argument output indices, non-initializing function list,
  file-scope static variable tracking, subscript read extraction through
  `field_expression` chains.
- API00-C refinements.
- CFG `condition_range` support.
- Realworld benchmark MCP server enhancements (SQLite-first pattern,
  `get_rule_trend`, `get_project_history`).
- bench/db.py improvements.

### Removed

- Legacy shell scripts: batch_analyze_sqlite, bench_mosquitto_versions,
  compare_tools, run_juliet_multi_cwe, run_juliet_parallel, test_single_file.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�s4
+�?555Release v0.3.32### Fixed

- DCL07-C/DCL31-C FP reduction (-11,556 real-world violations, -7.1%). Three
  root causes addressed:
  1. Prescan deep recursion: `collect_function_names` now recurses into ALL
     child nodes (not just `preproc_*` blocks), finding functions inside ERROR
     nodes from tree-sitter misparses.
  2. Macro alias integration: DCL rules now check `macro_aliases` from prescan.
  3. External library whitelist: OpenSSL, Tcl/Tk, Apple CoreFoundation,
     mbedTLS, cJSON, zlib, GnuTLS, wolfSSL prefixes. `defined` operator
     skipped.
- DCL07-C: 10,617 -> 4,765 (-55.1%). DCL31-C: 10,543 -> 4,840 (-54.1%).
- Juliet: zero change (47.0% TP rate preserved).done2026-04-20T16:58:08Z2026-03-22T00:00:00Z2026-03-22T00:00:00Z�y3
+�K555Release v0.3.31### Fixed

- INT07-C: skip `char *` pointer/array declarations in
  `is_plain_char_declaration`. 96.5% of violations were pointer arithmetic.
  6,230 -> 207 (-96.7%).
- ERR33-C: fixed duplicate violation bug (standalone calls emitted via both
  paths). Suppressed printf/puts/putchar/fputs/fputc/putc, `fprintf(stderr,
  ...)`, `signal(SIG*, SIG_IGN/SIG_DFL)`, `time(&t)` with output parameter.
  Recognized `==0`/`!=0` as NULL checks. Added `putenv`/`strdup`/`strndup`.
  7,182 -> 1,807 (-74.8%).
- MSC41-C: removed overly broad substring keywords (`db`, `connect`). Strict
  word boundaries for `key`/`token`. Leading boundaries for
  `auth`/`login`/`pwd`/`database`. Always apply `looks_like_sensitive_data()`
  heuristic. Added `looks_like_sensitive_in_context()`. 3,954 -> 293 (-92.6%).
- ARR00-C: rewrote `is_array_identifier()` from text-search to AST-based
  `has_array_declaration()`. Guarded checks with array-only. Fixed
  `check_array_assignment` to skip compound assignments. 7,341 -> 2,637
  (-64.1%).
- EXP33-C: added `scanf`/`fscanf`/`sscanf` `&var` argument initialization.
  Added 15 for-each macro patterns. 4,554 -> 4,189 (-8.0%).
- Juliet: 8,156 TP / 9,180 FP, 47.0% TP rate. -129 TP from intentional printf
  suppression. Zero FP change.
- Real-world: 182,020 -> 161,893 (-20,127, -11.1%).done2026-04-20T16:58:08Z2026-03-22T00:00:00Z2026-03-22T00:00:00Z
�O
��"9
+�555Release v0.3.37### Fixed

- FIO30-C CWE-134 format string taint improvements. Three fixes unlock
  detection across all taint source patterns:
  - recv/recvfrom/recvmsg taint tracking: socket receive functions added to
    `process_string_manipulation_call`, handles cast expressions in buffer arg.
  - Macro alias resolution: integrated `const_eval::collect_macro_aliases` for
    `#define GETENV getenv` indirection. All function name lookups go through
    `resolve_func_name()`.
  - `get_base_variable` expression handling for `cast_expression`,
    `parenthesized_expression`, and `binary_expression`.
- Juliet (v0.3.35-v0.3.37 combined vs v0.3.34): TP 8,300 -> 8,508 (+208),
  FP 9,157 -> 9,067 (-90), TP rate 47.5% -> 48.4% (+0.9pp). Zero regressions.
- Real-world: 152,590 -> 153,568 (+978, +0.6%). ARR36-C +2,727 (strchr fires
  broadly on real-world pointer arithmetic). Excluding ARR36-C, net -1,749 FP.
- Source commits pinned in BENCHMARK_INSTALL.md for all 5 codebases.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�8
+�c555Release v0.3.36### Added

- ARR36-C CWE-469: strchr/wcschr cross-array subtraction detection.
  `PointerAnalyzer` tracks `strchr`, `strrchr`, `wcschr`, `wcsrchr`, `memchr`,
  `strstr`, `wcsstr`, `strpbrk`, `wcspbrk` return values as pointing into
  first argument. Array declarations treated as own base. Assignment expressions
  tracked for pointer origin resolution. 36/36 TP, 0 FP.
- STR03-C CWE-464: `(char)atoi()` null sentinel detection. Covers `strtol`,
  `strtoul`, `atol` with char cast. 38/38 TP, 0 FP.
- API07-C CWE-843: void* type confusion detection. Tracks `void*` assignments,
  detects dereference with incompatible cast where cast type is larger than
  source type. 40/40 TP, 0 FP.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�B7
+�]555Release v0.3.35### Added

- API07-C CWE-761: free-pointer-not-at-start detection. Tracks
  `malloc`/`calloc`/`realloc` assignments, detects `ptr++`/`ptr+=N`/`ptr--`
  modifications, flags subsequent `free(ptr)`. Handles reassignment and
  reallocation resets.

### Fixed

- EXP33-C: `extract_nested_base_ex()` recurses through nested subscript/field
  chains (`arr[0].field` -> `arr`). `MallocUninitialized` + subscript-in-chain
  -> `MallocInitialized`. `match_initializing_function()` suffix-matches wrapper
  functions (`os_memset` -> `memset`). `*zalloc()` recognized as
  zero-initializing allocator.
- ARR00-C: `find_pointer_source_array()` recursively resolves pointer
  derivation chains (depth limit 5). Eliminates FPs on `end - pos` buffer
  arithmetic.
- ERR33-C: printf-family return value checks suppressed (`fprintf`, `sprintf`,
  `snprintf`, `vprintf`, `vfprintf`, `vsprintf`, `vsnprintf`).

### Changed

- BENCHMARK_INSTALL.md: updated sqc examples from `rules-all.toml` to
  `rules-benchmark.toml`.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z�.6
+�5555Release v0.3.34### Fixed

- EXP33-C critical bug: functions inside `#ifdef`/`#ifndef`/`#if` preprocessor
  blocks were silently skipped. The guard condition `node.kind() !=
  "translation_unit"` excluded all non-top-level parents. Removed incorrect skip
  condition.
- EXP33-C: field-write `MallocUninitialized` preservation re-applied. Field
  writes on malloc'd pointers no longer upgrade to `MallocInitialized`. Stack
  struct field writes still upgrade `Uninitialized` -> `Initialized`.
- Reverted `extract_field_base` nested subscript resolution (caused premature
  `Initialized` marking on first element write).
- Juliet (vs v0.3.32): TP 8,156 -> 8,300 (+144), FP 9,180 -> 9,157 (-23),
  TP rate 47.0% -> 47.5%. EXP33-C: 294/561 -> 431/559.
- Real-world (vs v0.3.32): 150,337 -> 152,590 (+2,253). EXP33-C +2,899
  (hostap +2,525) from `arr[0].field` limitation.done2026-04-20T16:58:08Z2026-03-23T00:00:00Z2026-03-23T00:00:00Z
���*��s=
+�?555Release v0.3.43### Added

- MSC12-C dead code / no-effect detection (CWE-561) with 4 detection patterns:
  no-effect expression statements (comparisons as statements, bitwise/shift with
  discarded result, wasted dereferences, bare identifiers), duplicate conditions
  in if/else-if chains, redundant sub-expressions in logical operators, and
  meaningless `continue` at end of loop body. Exceptions for `(void)` casts,
  function calls in conditions, and function calls in logical sub-expressions.
  12 wiki tests (5 fail + 7 pass).
- Wildcard suppression in `.sqc-suppress.toml` via `[[wildcard]]` TOML section.
  Supports `file_glob`, `rule`, `rule_glob`, `function_prefix`, and
  `justification` fields (all ANDed). Hash-matched suppressions take priority.
  Glob patterns compiled to regex at load time.done2026-04-20T16:58:08Z2026-03-25T00:00:00Z2026-03-25T00:00:00Z�5<
+�C555Release v0.3.42### Fixed

- const_eval.rs: double-nested parens now handled via loop-based stripping.
- DCL02-C: function-scope declarations checked via `init_declarator` +
  root-node traversal.
- EXP40-C: per-scope const variable tracking (was only double-pointer).
- STR34-C: `init_declarator` path + parameter tracking + per-function scoping.
- CON34-C: thread-unsafe function detection via banned function list.
- CON07-C: unprotected shared variable access via file-scope global collection.
- MSC38-C: test reclassified to SIG30-C (already detected).
- ERR01-C: errno-setting function detection for strtol/sqrt.
- MEM10-C: `sizeof(pointer)` misuse detection in alloc/memory calls.
- POS50-C: TOCTOU race detection (`stat()` then `fopen()` on same path).
- DCL17-C: K&R style function declaration + empty param list detection.
- CWE-480 (EXP16-C): AST-based function name collection + NULL recognition.
- CWE-482 (EXP16-C): dead comparison detection.
- CWE-367 (FIO01-C): `access()`/`stat()` + `open()` TOCTOU detection.

### Changed

- Benchmark analyzer: `parse_c_file_sections()` now performs call-graph analysis
  to reclassify helper functions defined outside `#ifndef OMITBAD`/`#ifndef
  OMITGOOD` guards. +52 TP, +5 FP across all runs. 18 historical runs
  retroactively corrected (969 total violations reclassified).
- Coverage gate raised from 79% to 80%. Current: 80.06%.done2026-04-20T16:58:08Z2026-03-25T00:00:00Z2026-03-25T00:00:00Z�L;
+�q555Release v0.3.39### Fixed

- ARR36-C real-world FP reduction (-82%). Per-function scoping fixes
  cross-function variable name collisions. Identifier chain resolution follows
  `variable_arrays` for known identifiers. Compound assignment (`+=`/`-=`) no
  longer overwrites array base. `os_*` wrapper recognition for `os_strchr`,
  `os_strstr`, `os_strrchr`, etc. Allocation functions get unique per-call
  bases. Address-of vs dereference distinction. File-scope + bare declaration
  tracking.
- Juliet: zero delta (8,508 TP, 9,067 FP, 48.4% TP rate).
- Real-world: 157,688 -> 153,156 (-4,532, -2.9%). ARR36-C 4,685 -> 829
  (-3,856, -82.3%).done2026-04-20T16:58:08Z2026-03-24T00:00:00Z2026-03-24T00:00:00Z�L:
+�q555Release v0.3.38### Fixed

- EXP33-C: conditional-init, cast unwrap, and array arg fixes for real-world
  FP reduction.

### Changed

- DCL31-C/DCL07-C: removed library-specific whitelists, added `-I` include
  paths for system-installed third-party headers.done2026-04-20T16:58:08Z2026-03-24T00:00:00Z2026-03-24T00:00:00Z

��I?
+�k555Release v0.3.46### Changed

- P3214-driven FP reduction: 17 rules improved across 5 rounds. Validated
  against P3214 Secondary MCU firmware (8051, Keil C51). Zero Juliet
  regressions across both v0.3.45 and v0.3.46 benchmark runs (51.1% held).
- DCL18-C: skip zero with type suffix (0U, 0u, 0L, 0UL) — not octal confusion.
- DCL08-C: skip enums with consecutive integer sequences (0,1,2 or 1,2,3).
- PRE02-C: skip do{...}while(0) macros and (type)(expr) cast-wrapped macros.
- EXP35-C: arrow operator (->) means pointer return, not temporary struct.
- INT36-C: distinguish bitwise AND (&) from address-of; skip *ptr dereference.
- EXP07-C: skip bit-position shifts (0-7) — standard bit manipulation idioms.
- DCL19-C: skip volatile variables (ISR-shared) and STATIC macro declarations.
- INT17-C: skip hex constants ≤0xFFFF — portable across all C implementations.
- EXP10-C: skip || and && operators — C guarantees left-to-right evaluation.
- PRE08-C: skip self-matches (same filename compared to itself).
- DCL30-C: only flag pointer/array locals assigned to globals, not integer copies.
- EXP02-C: treat func()->field as pure getter read, not a side effect.
- INT34-C: recognize modulo expression (% N) as shift-amount bounds check.
- API00-C: recognize any token containing "STATIC" as static-equivalent macro
  (covers LIN_STATIC_INLINE, MY_STATIC_FUNC, etc.).
- EXP14-C: only flag ~ (bitwise NOT) and << (left shift) for promotion risk;
  skip &, |, ^, >> which are safe with unsigned operands.
- DCL17-C: skip simple volatile reads/writes; only flag compound operations
  (++, --, +=, -=) where read-modify-write may be non-atomic.
- INT14-C: skip 2-char loop index variables (bi) for mixed bitwise+arithmetic.
- INT30-C: skip narrow unsigned types (uint8_t, uint16_t) — promoted to int
  (≥32-bit) before arithmetic, cannot overflow promoted type. Preserved actual
  declared type from type_map instead of returning generic "unsigned".

### Results

- Juliet: 8,383 TP / 8,020 FP, 51.1% TP rate (unchanged from v0.3.44).
  Zero delta on all 69 CWEs across both v0.3.45 and v0.3.46 runs.
- P3214 Secondary MCU: 1,372 → 476 violations (-896, -65.3%).done2026-04-20T16:58:08Z2026-03-28T00:00:00Z2026-03-28T00:00:00Z�1>
+�;555Release v0.3.44### Changed

- ENV33-C: taint-source heuristic suppression for system()/popen(). Functions
  with no tainted input sources (recv, fgets, getenv, scanf, etc.) and no
  pointer/string parameters are suppressed. String literal arguments and
  cross-function sinks with char* params remain flagged. Macro aliases
  (#define SYSTEM system) resolved via project context.
- FLP03-C: removed overbroad check_fp_conversion() that flagged all
  float/double cast expressions. Added divide-by-zero guard detection:
  fabs/fabsf/fabsl magnitude checks, != 0, > 0, < 0 conditions suppress
  guarded divisions.

### Results

- Juliet TP rate: 48.4% -> 51.1% (+2.7pp). **P0 milestone achieved.**
- Total: TP 8,508->8,383 (-125), FP 9,067->8,020 (-1,047). 8.4:1 FP:TP ratio.
- ENV33-C: -818 FP/-139 TP (5.9:1). FP rate 58%->24.6%.
- FLP03-C: -234 FP/-70 TP (3.3:1). FP rate 69%->58.2%.
- CWE-78: TP rate 45.5%->63.0% (+17.5pp).
- CWE-369: TP rate 33.6%->36.9% (+3.3pp).
- Bonus: CWE-367 +15 TP, CWE-479 +36 TP, CWE-480 +10 TP, CWE-482 +7 TP
  (from v0.3.43 MSC12-C/wildcard rules newly matched to CWEs).
- Realworld: 154,598->154,603 (+5, flat). FLP03-C -164 (-43%, clean).
  ENV33-C -1. EXP16-C +160 regression in sqlite (unrelated, needs investigation).done2026-04-20T16:58:08Z2026-03-26T00:00:00Z2026-03-26T00:00:00Z
ii�A
+�555Release v0.3.48### Fixed

- analyze: resolve_includes now runs even when --load-prescan is set. Previously
  -I include paths were silently ignored during parallel scans (sqc_parallel_scan.py),
  causing DCL31-C/DCL07-C to flag functions declared in system headers.
  Realworld impact: DCL31-C+DCL07-C 14,657 → 3,772 (-10,885, -74%).
  Overall: 154,603 → 142,185 (-12,418, -8.0%).
- MEM04-C: sizeof() expressions now recognized as always non-zero in
  is_potentially_zero(). malloc(sizeof(int)) no longer falsely flagged.
- FIO10-C: POSIX rename() with return value check accepted as compliant.
  On POSIX, rename() atomically replaces the destination, so checking the
  return value is sufficient handling (task 18).

### Added

- test infra: `// sqc-test: prescan` marker for .c test files (task 19).
  build.rs detects the marker and generates tests that build intra-file
  prescan context (function summaries + call-site null states + CFGs) before
  calling rule.check(). Enables testing inter-procedural analysis patterns
  within a single translation unit.
- prescan: added prescan_single_tree() — builds ProjectContext from a single
  parsed tree for use in integration tests.
- analyze: collect_function_cfgs() now public for test use.
- EXP34-C: 3 intra-file null deref tests moved from pass/ to fail/ using
  prescan marker (func_param, list_null, callback_null). All correctly detect
  violations via call-site null state propagation.
- FIO10-C: added pass/testcases_posix_rename.c for POSIX error-checked rename.

### Changed

- WIN30-C: NULL security attributes test reclassified as out of scope.
  CreateFileA/CreatePipe security attributes are not related to WIN30-C
  (alloc/dealloc pairing). Test comment updated.done2026-04-20T16:58:08Z2026-03-29T00:00:00Z2026-03-29T00:00:00Z�~@
+�U555Release v0.3.47### Changed

- FIO24-C: added double-close detection for fclose/close/CloseHandle/closesocket.
  Tracks closed variables per function; flags duplicate close without intervening
  reopen. Resolves CWE-675 (224 Juliet files, 93.0% TP rate).
- POS37-C: added unchecked Windows privilege API return value detection
  (ImpersonateNamedPipeClient, RpcImpersonateClient, ImpersonateLoggedOnUser,
  CoImpersonateClient, ImpersonateSelf, SetThreadToken). Resolves CWE-273
  (36 Juliet files, 100% TP rate).
- DCL30-C: skip return of pointer to static local address. When a local pointer
  is assigned from &static_var[i], returning it is safe. Eliminates CWE-562 FP.
- MSC37-C: skip phantom functions from preprocessor-broken else-if chains.
  tree-sitter misparses disconnected else-if as function definitions.
- MSC37-C: recognize else_clause nodes in all-branches-return check. if/else
  where both branches return was falsely flagged.
- INT33-C: recurse into nested blocks for zero-guard detection. Guards inside
  outer if-blocks (e.g., null-check wrapping a zero-check) now recognized.
- INT34-C: recognize (mask >> var) != 0 loop condition as shift-amount bound.
  while ((mask >> bi) != 0u) implicitly constrains bi to < bit width.
- rule_cwe_map: added MSC12-C → CWE-561 mapping.
- INT32-C: scope type_map per function definition. Two functions declaring
  same variable name with different types (float X_pred vs int32_t X_pred)
  no longer collide — each function gets its own type map.
- DCL06-C: accept float zero literals (0.0f, 1.0f, etc.) as non-magic.
  Strip float/unsigned suffixes before checking acceptable values.
- FLP02-C: skip equality comparisons against exact zero (0.0, 0.0f). Zero
  is exactly representable in IEEE 754 — divide-by-zero guards are valid.
- bench/analyzer.py: fixed CSV parser regex for version:HASH suffix that broke
  line number extraction when commit hash started with a digit.

### Results

- 3 formerly zero-detection CWEs now detecting: CWE-675 (80 TP, 93.0%),
  CWE-273 (72 TP, 100%), CWE-562 (2 TP, 66.7% → 100% after DCL30-C fix).done2026-04-20T16:58:08Z2026-03-29T00:00:00Z2026-03-29T00:00:00Z
]
��	�P]�pF
+�9555Release v0.3.56### Added

- EXP34-C: variant 63 pointer-to-pointer null propagation. When caller passes
  &data where data=NULL, prescan tracks the pointee null state through
  callsite_param_pointee_null_states in FunctionSummary. Null state analysis
  seeds "*paramName" into initial state; transfer function propagates *ptr
  dereference. +6 TP, 0 FP across all 6 data types in CWE-476 variant 63.
- EXP34-C: variant 64 void pointer cast propagation. Cast expressions
  (dataPtr = (int**)dataVoidPtr) preserve "*" state keys. Parenthesized
  dereference form (*dataPtr) unwrapped for variant 63/64. +6 TP, 0 FP.
- EXP34-C: variant 66 array element null propagation. Prescan tracks
  subscript_expression assignments (arr[idx] = expr) as "arr.idx" dotted
  keys, reusing the struct field mechanism. Transfer function handles
  subscript_expression lookups. +6 TP, 0 FP.
- 6 new EXP34-C regression tests for variants 63, 64, and 66.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�E
+�{555Release v0.3.52### Changed

- EXP33-C: partial init array detection. Track allocation element count from
  malloc/ALLOCA calls; compare for-loop bound vs allocation count. If loop
  bound < allocation count, content stays MallocUninitialized (partial init).
  Detects 6 partial_init array types across all 18 Juliet variants (+102 TP).
- init_state: dead-branch elimination for constant conditions. Collect
  file-scope static [const] constants; evaluate branch conditions at analysis
  time; skip impossible edges. Handles literal (if(1)), const expr (if(5==5)),
  and static const/var conditions (if(STATIC_CONST_TRUE), if(staticTrue)).
  Eliminates opaque predicate FPs in Juliet variants 02-07 (-198 FP).
- const_eval: added comparison operators (==, !=, <, >, <=, >=) to
  try_evaluate_expr(). Enables constant condition evaluation.
- prescan: collect global constants from prescanned directories. Non-static
  const/non-const globals with compile-time values stored in
  ProjectContext.global_constants. Merged with macro_constants into EXP33-C
  file_scope_constants for cross-file dead-branch elimination (variants 09-14).

### Results

- CWE-457: 422 TP/715 FP (37.1%) → 524 TP/517 FP (50.3%). +102 TP, -198 FP,
  +13.2pp TP rate. Per-file detection 68.5% → 85.1%.
- Overall: 51.6% → 51.9% (+0.3pp). +101 TP, -200 FP. Zero regressions.done2026-04-20T16:58:08Z2026-03-31T00:00:00Z2026-03-31T00:00:00Z�D
+�555Release v0.3.51### Added

- MSC07-C: unreachable code detection (BRULE-034 gap). AST-based detection of
  statements after unconditional return/break/continue/goto and noreturn calls
  (exit, abort, _Exit, longjmp, quick_exit, thrd_exit, ExitProcess, ExitThread).
  Reports only first unreachable statement per terminal. CWE-561 mapping.
  11 tests: 7 fail, 4 pass.
- MSC04-C: bounded recursion suppression. If a recursive function has a
  parameter-dependent base case (conditional return checking a parameter),
  the violation is suppressed. CWE-674: 2 TP/2 FP → 1 TP/0 FP (100% TP rate).done2026-04-20T16:58:08Z2026-03-30T00:00:00Z2026-03-30T00:00:00Z�8C
+�I555Release v0.3.50### Changed

- prescan: detect (type *)param cast pattern as dereference in function
  summaries. Enables EXP33-C variant 64 (void* → cast → deref) detection.
  CWE-457: +10 TP, +10 FP (void pointer indirection types).done2026-04-20T16:58:08Z2026-03-30T00:00:00Z2026-03-30T00:00:00Z�@B
+�Y555Release v0.3.49### Changed

- EXP33-C: cross-file inter-procedural init tracking via set_project_context().
  build_read_only_deref_fns(): dereferences_params - modifies_params.
  InitAnalysisConfig.read_only_deref_fns prevents &var from being marked
  initialized when callee only reads through the pointer.
  check_cross_file_uninit_calls: flags calls passing &uninit_var to functions
  that read the pointed-to value (variant 63 pattern).
  CWE-457: +10 TP, +10 FP (10 simple scalar/pointer types).done2026-04-20T16:58:08Z2026-03-30T00:00:00Z2026-03-30T00:00:00Z
�R��I
+�a555Release v0.3.59### Added

- MSC42-C: new rule for CWE-327 broken/weak crypto algorithm detection. Blacklist:
  CALG_DES, CALG_3DES, CALG_RC5, CALG_RC2, CALG_RC4 in CryptDeriveKey/CryptGenKey.
  Also detects weak OpenSSL ciphers (EVP_des_*, DES_*, EVP_rc4, EVP_rc2_*).
  54 TP/0 FP (100%).
- WIN05-C: new rule for CWE-272 unquoted CreateProcess path detection. Two
  sub-patterns: unquoted paths with spaces in CreateProcessA/W/AsUser (path
  interception), HKEY_LOCAL_MACHINE in registry operations (excessive privilege).
  254 TP/64 FP (79.9%).
- ARR39-C: CWE-468 incorrect pointer scaling fix. Case-insensitive pointer name
  matching, added "pointer" keyword. Detects double-scaling pattern.
  19 TP/32 FP (37.3%).
- MSC41-C: CWE-259 hard-coded password improvements. Added "logon" to sensitive
  function keywords, added #define macro detection for sensitive-named macros.
  0 TP/0 FP on Juliet (tree-sitter preprocessor limitation).

### Results

- Juliet v0.3.59: 23,678 TP / 21,117 FP — 52.9% TP rate (+0.3pp from v0.3.58).
  +327 TP, +96 FP. 74 CWEs covered (up from 70).done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�:H
+�M555Release v0.3.58### Added

- SIG31-C + SIG34-C: CWE-364 signal handler race condition detection. Mapped
  existing rules to CWE-364. 54 TP/51 FP (51.4%).
- MSC12-C: CWE-398 poor code quality — extended with 7 new patterns: empty
  control flow bodies, empty function bodies, standalone empty blocks, empty
  switch cases, stray semicolons, arithmetic no-effect, self-assignment.
  181 TP/2 FP (98.9%).
- MSC13-C: new rule for CWE-563 unused variable detection. Detects unused
  initialized/uninitialized local variables and dead stores. Struct field write
  not counted as read. 289 TP/0 FP (100%).

### Results

- Juliet v0.3.58: 23,351 TP / 21,021 FP — 52.6% TP rate (+0.5pp from v0.3.56).
  +524 TP, +53 FP. Zero regressions on 70 existing CWEs.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�+G
+�/555Release v0.3.57### Fixed

- STR03-C, INT00-C, INT16-C: resolved 3 remaining implementation bugs.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z
���M
+�y555Release v0.3.63### Added

- BRULE-065: pointer indirection depth check. Flags declarations with excessive
  pointer indirection (e.g., `int ***p`). Handles parameter declarations,
  init_declarators, and nested declarator chains. First non-CERT rule —
  established `src/rules/brules/` directory structure.
- `expected_fail/` test directory for known analysis limitations. build.rs
  generates tests with `#[ignore = "Known limitation: ..."]`. Run with
  `cargo test -- --ignored` to check for improvements.

### Fixed

- MSC13-C: compound assignment LHS (`+=`, `-=`, etc.) now recognized as a read.
  `is_read_context()` checks assignment operator type; `collect_all_assignments()`
  only collects simple `=` assignments.
- INT34-C: AST-based unsigned type detection from function parameter declarations.
  Replaced string matching with `decl_has_unsigned_var()` and correct
  `find_parameter_list()` traversal.
- Number of additional fixes (see commit history).done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�SL
+�555Release v0.3.62### Fixed

- Resolved all 5 pre-existing test failures (CON08-C, DCL20-C, INT08-C, EXP15-C).
  Zero test failures remain.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�K
+�	555Release v0.3.61### Added

- Man page (`docs/sqc.1`) covering all 16 CLI options, exit codes, rules manifest
  and suppression file config, 7 usage examples, and cross-references.
  View with: `man -l docs/sqc.1`.
- Test coverage gate raised from 80% to 81% (1,350 additional lines covered).
  75+ new `.c` test files across 10 rules.done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z�rJ
+�=555Release v0.3.60### Added

- EXP39-C: CWE-188 struct memory layout assumption detection. Two new checks:
  (1) struct field pointer arithmetic — flags *(T*)(ptr + offset) where ptr was
  assigned from &struct.field, (2) union type punning — flags sub-field access
  into struct member of union after writing to a different scalar member.
  36 TP/0 FP (100%). All 36 Juliet files detected.
- FIO42-C: CWE-459 incomplete temp file cleanup. Detects mkstemp/mktemp/MKSTEMP
  /MKTEMP calls without corresponding unlink/remove/DeleteFile cleanup in the
  same function. 34 TP/0 FP (100%). 34/36 files (variant-12 mixed branches missed).
- POS55-C: new rule for CWE-666 socket operation ordering. State machine enforces
  bind() → listen() → accept() order. Flags accept before listen/bind, listen
  before bind. 162 TP/0 FP (100%). All 90 Juliet files detected.
- MEM03-C: CWE-226 sensitive data not cleared before release. Detects pointer/array
  variables with sensitive names (password, secret, credential, passphrase) not
  cleared with SecureZeroMemory/memset/explicit_bzero before function exit.
  68 TP/0 FP (100%). 68/72 files (variant-12 missed).
- MEM35-C: CWE-789 unbounded memory allocation from untrusted input.
  Intra-procedural taint analysis flags malloc/calloc/realloc in functions with
  taint sources (recv, fgets, fscanf, rand) and no upper-bound check (< constant).
  190 TP/0 FP (100%). Cross-function variants need inter-procedural taint.
- ERR07-C: CWE-114 untrusted library path / process control. Intra-procedural
  taint analysis flags LoadLibraryA/W/dlopen in functions with taint sources.
  126 TP/0 FP (100%). Cross-function variants need inter-procedural taint.

### Results

- Juliet v0.3.60: 24,408 TP / 21,117 FP — 53.6% TP rate (+0.7pp from v0.3.59).
  +730 TP, 0 FP. 31 CWEs at 100% precision (up from 25). Per-file rate 40.9%.
  Only 2 zero-detection CWEs remaining (CWE-259, CWE-328).
- Bonus: CWE-680 +80 TP/0 FP (MEM35-C taint caught integer-overflow-to-buffer-
  overflow), CWE-244 +34 TP/0 FP (MEM03-C sensitive data caught heap inspection).done2026-04-20T16:58:08Z2026-04-01T00:00:00Z2026-04-01T00:00:00Z
�$"
���IQ
+�k555Release v0.3.67### Fixed

- resolve_local_var_range returned first assignment instead of last. For
  `data = 0; data = INT_MAX; result = data + 1;`, resolved data to [0,0]
  instead of [INT_MAX,INT_MAX], causing INT32-C/INT30-C false suppression.
- Unevaluable assignments (data = rand(), fscanf(&data)) left stale range
  from prior assignment. New stmt_modifies_var() invalidates range on
  unevaluable assignment or pointer-modifying call.
- Juliet benchmark runner: -d JULIET_BASE prescanned 58K files per CWE
  (~4 min each × 74 CWEs). Changed to CWE-scoped prescan and -j 1.
  Benchmark time: hours → 7 min.

### Results

- CWE-190: 1,763→2,322 TP (+559), per-file 35.0%→43.3% (+8.3pp)
- CWE-191: 1,563→1,973 TP (+410), per-file 40.5%→47.7% (+7.2pp)
- CWE-680: 404→559 TP (+155), TP rate 48.7%→51.4% (+2.7pp)
- Overall: +1,144 TP, +1,290 FP. TP rate 53.6%→53.3% (-0.3pp).done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�
P
+�s555Release v0.3.66### Added

- LPT file-size scheduling for parallel analysis. Graham's LPT heuristic
  (1969): files sorted by size descending, dispatched via rayon par_bridge()
  (demand-driven). Reduces worst-case runtime variance by 52-99% and improves
  CPU efficiency from 83% to 96% on skewed workloads (sqlite, curl).done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�O
+�W555Release v0.3.65### Fixed

- Sequential mode (`-j 1`) now creates a fresh RuleRegistry per file, matching
  parallel mode behavior. Previously, rules with RefCell state (DCL31-C, DCL07-C,
  ERR01-C, ERR33-C, ENV33-C, ENV03-C, ENV02-C, API00-C, INT30-C, SIG00-C,
  SIG02-C, WIN03-C, WIN05-C, WIN30-C) accumulated data across files, causing
  false suppressions in later files. Sequential and parallel modes now produce
  identical output.done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z�YN
+�555Release v0.3.64### Added

- Built-in parallel analysis with rayon (`-j`/`--jobs` flag). Default `-j 0`
  auto-detects CPU count. Per-file parser and rule registry instances avoid
  RefCell/Send issues. Results sorted deterministically. Python parallel wrapper
  (`scripts/sqc_parallel_scan.py`) removed — no longer needed.
  Performance: curl 9m38s → 59s (9.8x), mosquitto 2m42s → 34s (4.8x).done2026-04-20T16:58:08Z2026-04-02T00:00:00Z2026-04-02T00:00:00Z
���+V
+�/555Release v0.3.78### Changed

- STR31-C: is_string_memcpy() now checks next 3 lines for manual null-termination
  (dest[...] = '\0').  If programmer explicitly null-terminates after memcpy,
  STR31-C concern is addressed; buffer overflow is a separate ARR38-C concern.

### Benchmark

- −306 FP, −220 TP (1.4:1 ratio). CWE-126 +1.2pp, CWE-121 +0.3pp.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z�EU
+�c555Release v0.3.77### Changed

- ARR38-C: is_dangerous_size_calculation() exempts strlen(x)*sizeof(T) —
  legitimate byte count, not sizeof double-scaling.

### Benchmark

- −1012 FP, −728 TP (1.4:1 ratio). CWE-121 48.8% → 49.9%, CWE-126 +1.5pp.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z�/T
+�7555Release v0.3.76### Changed

- STR31-C: find_buffer_size() follows `data = dataBuffer` pointer aliases
  (function-scoped, excludes pointer arithmetic).  Recognizes ALLOCA(N*sizeof(T))
  and ALLOCA(N).  Array size arithmetic (N*M, N+M, N-M) also supported.

### Benchmark

- −272 FP, −8 TP (34:1 ratio). CWE-127 55.6% → 64.4%, CWE-124 52.1% → 55.0%.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z�RS
+�}555Release v0.3.75### Added

- bench/competitors.py: benchmark runner for Infer and Frama-C on Juliet.
  Runs competitor tools on overlapping CWE subsets, classifies TP/FP using
  Juliet ground truth (OMITBAD/OMITGOOD guards + procedure names).
  Infer: 11 CWEs (memory safety). Frama-C EVA: 6 CWEs (value analysis).
- playbooks/install-static-analyzers.yml: Ansible playbook for installing
  Infer v1.2.0 (prebuilt) and Frama-C 32.0 Germanium (via opam) on Debian 12.
- docs/benchmark-setup.rst: Infer and Frama-C installation instructions.
- docs/benchmark-running.rst: competitor benchmark usage, timing, classification.
- paper/sqc.tex: preliminary Infer/Frama-C comparison data (CWE-476 pilot).
- PLAN.md: split task 33 into 33a (Infer) and 33b (Frama-C) with run commands.done2026-04-20T16:58:08Z2026-04-03T00:00:00Z2026-04-03T00:00:00Z�dR
+�!555Release v0.3.74### Added

- is_full_range_return_function() denylist in std_functions.rs: atoi, atol,
  atoll, strtol, strtoul, strtoll, strtoull, strtoimax, strtoumax, wcstol,
  wcstoul, wcstoll, wcstoull, wcstoimax, wcstoumax, rand, random, lrand48,
  mrand48, rand_r, RAND32, ntohl, ntohs. Functions whose return values can
  span the full integer range are no longer suppressed by the opaque
  increment heuristic in INT32-C and INT30-C.
- resolve_identifier_call_name() in INT32-C/INT30-C: traces the callee
  function name through switch, case, for, while, if, compound, and preproc
  blocks. Enables the denylist check for deeply nested call assignments.
- VRA collect_local_decl_types(): records declared types for uninitialized
  local variables (e.g. `int data;`). Prevents fallback to [i64::MIN,
  i64::MAX] when the variable is later assigned from an unevaluable call.
- VRA local_types lookup in process_expression_range(): uses declared type
  as fallback when existing VRA entry has no type info.

### Fixed

- INT32-C/INT30-C: is_small_increment_of_opaque no longer blanket-suppresses
  `atoi(buf) + 1`, `rand() + 1`, and similar patterns. Known full-range
  functions bypass suppression. Local functions with wide VRA return ranges
  also bypass. strlen()+1 and other bounded-return patterns remain suppressed.
- VRA: `int data; data = atoi(buf);` now correctly uses [INT_MIN, INT_MAX]
  instead of [i64::MIN, i64::MAX] for the fallback range. Fixes incorrect
  VRA suppression of overflow checks for uninit-declared variables.

### Results

- CWE-190: 2,322→2,538 TP (+216), FP -6. TP rate 45.1%→47.4% (+2.3pp).
- CWE-191: 1,973→2,091 TP (+118), FP -6. TP rate 44.0%→45.5% (+1.5pp).
- CWE-680: 559→617 TP (+58), FP unchanged. TP rate 51.4%→53.9% (+2.5pp).
- Overall: +392 TP, -12 FP. TP rate 54.4%→54.8% (+0.4pp). Per-file 45.4%→45.7%.
- Zero CWE regressions. INT32-C: +360 TP / -12 FP (30:1 improvement ratio).done2026-04-20T16:58:08Z2026-04-03T00:00:00Z2026-04-03T00:00:00Z
f�
�R�:[
+�M555Release v0.3.83### Changed

- INT32-C/INT30-C: VRA now consulted for increment/decrement operations.
  check_increment_decrement() uses expression_fits_in_signed/unsigned_vra()
  to suppress data++ when VRA proves the operand is safely within bounds.
- const_eval: try_evaluate_range() handles update_expression nodes (++/--)
  by resolving the argument range and adding/subtracting 1.
- const_eval: try_evaluate_text() resolves sizeof(type) via resolve_sizeof_type()
  and sizeof(variable) conservatively as 1 (sizeof >= 1 on all platforms).
  Enables CHAR_ARRAY_SIZE = (3 * sizeof(data) + 2) macro resolution.
- CWE-190: 47.4% → 58.6% (+11.2pp). CWE-191: 45.5% → 53.9% (+8.4pp).
- Overall: -2,760 FP, -1,388 TP. TP rate 56.8% → 59.0% (+2.2pp).done2026-04-20T16:58:09Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�tZ
+�A555Release v0.3.82### Changed

- CFG: constant condition pruning for if(0)/if(1)/while(1)/for(;;).
  Only the feasible branch edge is emitted, eliminating infeasible-path FPs.
  Also evaluates literal comparisons (5==5, 5!=5) in conditions.
- null_state: walk switch_statement bodies for declarations and assignments.
  Previously the switch was treated as a single opaque statement in the CFG.
- EXP34-C: AST-level null guard fallback — walk ancestors for enclosing
  if(var != NULL) blocks to suppress dereferences inside null guards that
  the CFG cannot model (e.g., inside switch case bodies).
- API00-C: relay function suppression — skip validation warning when a
  pointer parameter is only passed to callees that check for null.

### Benchmark

- Overall: +3 TP, −378 FP (56.3% → 56.8%). Zero regressions.
- CWE-476: +3 TP, −70 FP (50.8% → 56.3%).
- CWE-690: −38 FP (94.6% → 100.0% TP rate).
- Spillover: CWE-195 −150 FP, CWE-369 −60 FP, CWE-680 −30 FP.
- Per-rule: INT31-C −180 FP, EXP34-C −90 FP, INT33-C −60 FP, API00-C −18 FP.done2026-04-20T16:58:08Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�lY
+�1555Release v0.3.81### Changed

- ARR38-C: extract_strlen_from_sizeof_expr() helper extracts strlen/wcslen
  argument from strlen(x)*sizeof(T) patterns.  Added to check_buffer_size_mismatch
  and check_string_size_parameter: compares source vs dest buffer sizes.
  When source > dest, flags overflow (recovers TPs lost by Fix 2 blanket exemption).

### Benchmark

- +200 TP, +48 FP (4.2:1 ratio). CWE-121 54.3% → 55.7%.done2026-04-20T16:58:08Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�+X
+�/555Release v0.3.80### Changed

- ARR38-C: is_size_within_known_buffer() helper — when check_size_exceeds_buffer
  confirms size fits, skip is_hardcoded_large_size/count heuristics.
  Applied to check_string_size_parameter, check_buffer_function,
  check_wide_string_function.

### Benchmark

- −272 FP, −48 TP (5.7:1 ratio). CWE-121 51.6% → 54.3%.done2026-04-20T16:58:08Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�W
+�555Release v0.3.79### Changed

- STR31-C: get_memset_content_length() scans enclosing function for
  memset/wmemset initialization + null-termination pattern.  Infers strlen(data)
  from fill count.  Max-across-branches for control flow variants.

### Benchmark

- −204 FP, 0 TP (pure FP elimination). CWE-121 +1.4pp, CWE-122 +1.7pp.done2026-04-20T16:58:08Z2026-04-04T00:00:00Z2026-04-04T00:00:00Z
�����`^
+�555Release v0.3.86### Changed

- MEM31-C: prescan-based callee-frees-param detection. When a callee function
  is known (via FunctionSummary.frees_params) to free a parameter, mark the
  allocation as freed at the call site instead of flagging a leak.
- FunctionSummary: param pass-through tracking. Detects when function params
  are forwarded directly to callees (AST-based). Used for transitive free
  propagation across relay function chains (A→B→C→free).
- prescan: propagate_transitive_frees() fixpoint. After all summaries are
  merged, propagates frees through pass-through chains up to 10 levels deep.
- MEM31-C: if/else branch merge fix. Use UNION of freed memory from both
  branches instead of only true branch state. Prevents FPs where free() is
  in the else clause of constant-condition if/else blocks.
- MEM31-C converted from unit struct to stateful struct with
  set_project_context() for prescan integration.

### Benchmark

- CWE-401: 50.7% → 77.6% (+26.9pp). MEM31-C: -543 FP, -25 TP (21.7:1 ratio).
- MEM31-C rule FP rate: 49.3% → 22.4%.
- Overall: 25,456 TP / 15,768 FP. TP rate 61.0% → 61.8% (+0.8pp).
  Zero regressions across all 74 CWEs.done2026-04-20T16:58:09Z2026-04-06T00:00:00Z2026-04-06T00:00:00Z�h]
+�)555Release v0.3.85### Changed

- MEM01-C: CFG-based forward reachability replaces naive "next statement is
  NULL?" check. For each free(ptr), BFS through CFG successor blocks — only
  flags when ptr is actually used or freed again on a reachable path. Suppresses
  when ptr goes out of scope or is reassigned. Declaration-as-reassignment
  handling for loop-scoped variables. Inline CFG building fallback for tests.
- CWE-415: 43.4% → 58.2% (+14.8pp). CWE-416: 43.9% → 92.9% (+49.0pp).
- MEM01-C: -654 FP, -204 TP (3.2:1 ratio). Rule TP rate 41.7% → 71.8%.
- Overall: 25,481 TP / 16,311 FP. TP rate 60.2% → 61.0% (+0.8pp).
  Zero regressions across all 74 CWEs.done2026-04-20T16:58:09Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z�q\
+�;555Release v0.3.84### Changed

- INT33-C: all-assignments-nonzero check for divisor variables. If ALL
  assignments to the divisor in the containing function are non-zero constants,
  the division is safe. Loop update detection (i--, i++) prevents false
  suppression of loop variables.
- INT33-C: fabs()/fabsf()/fabsl() magnitude guard recognition. Float
  divide-by-zero guards like `if(fabs(data) > 0.000001)` now suppress.
- FLP03-C: constant-aware divisor non-zero detection. Two-strategy approach:
  all-assignments-nonzero, and feasible-branch walk using file-scope constants
  to determine last reaching assignment.
- CFG builder: resolve static const int variables as constant conditions.
  Enables dead-branch pruning for `if(STATIC_CONST_TRUE)` patterns.
- const_eval: collect file-scope `static const int` declarations as constants.
- const_eval: float literal to i64 fallback (e.g., 2.0F → 2) for VRA tracking.
- CWE-369 TP rate 37.9% → 53.9% (+16.0pp). -882 FP, -8 TP overall.
  Bonus: INT31-C -144 FP, EXP34-C -24 FP from CFG constant resolution.done2026-04-20T16:58:09Z2026-04-05T00:00:00Z2026-04-05T00:00:00Z
{{�a
+�555Release v0.3.91### Changed

- FunctionSummary: recognize alias null-checks as param null-checks.
  Pattern: `TYPE *alias = param;` followed by a null check on `alias`.
  Common in libcurl/sqlite wrappers that cast-copy the pointer param first
  (e.g. `struct Curl_easy *data = d; if(!data) ...`). Without this,
  `d` was not detected as null-checked, causing caller-side EXP34-C FPs
  on curl wrappers.

### Benchmark

- Addresses v0.3.90 curl EXP34-C regression (+45 FPs from unmasked short
  param-name substring matches revealing previously-hidden violations on
  curl wrapper patterns).done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z�`
+�c555Release v0.3.90### Changed

- FunctionSummary.checks_null_params: recognize `PARAM == 0` / `PARAM != 0`
  and reversed-operand variants as null checks. Previously only the `== NULL`
  / `!= NULL` spellings matched, so idioms like `if(pStmt==0)` (common in
  sqlite, libcurl) did not register the param as null-checked. The new
  `body_matches_null_check()` helper also handles arbitrary whitespace
  between tokens and uses word-boundary checks to avoid matching substrings.
- EXP34-C: skip deref-function arg check when callee is in the null-safe
  list (free, realloc). `free(NULL)` is defined as no-op per C11 7.22.3.3
  and `realloc(NULL, n)` per C11 7.22.3.5; flagging them as null-deref sites
  is incorrect.
- EXP34-C null-safe function list: added `realloc`.

### Task

- Task 61 (partial): EXP34-C FP reduction for null-safe wrappers and the
  `== 0` null-check idiom. The originally-listed 16 FPs in d_lib_common
  (Patterns 9 + 18) were already addressed by earlier EXP34-C work
  (v0.3.82 AST-level null guard + v0.2.20 &stack_var propagation). This
  changeset targets the remaining `Memory_Free(NULL)` wrapper FP and the
  sqlite-style `== 0` null-check idiom surfaced by the realworld benchmark.done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z�^_
+�555Release v0.3.87### Added

- 13 multi-file CLI integration tests for cross-file prescan capabilities:
  callsite null propagation (EXP34-C), can_return_null (EXP34-C),
  frees_params (MEM31-C), header_declared_functions (DCL15-C).
  Each scenario tests with-d, without-d, and safe variants.
  (Task 20)
- Test fixtures: crossfile_callsite_null/, crossfile_frees/, crossfile_header/
  with manifests for MEM31-C and DCL15-C.

### Changed

- docs/architecture.rst: comprehensive rewrite. Inventory of all 10 analysis
  modules, capabilities table expanded from 10 to 17 entries, limitations
  table updated (8 entries with impact), per-CWE ceiling analysis, updated
  competitor landscape from 5-tool benchmark. Removed outdated claims
  ("No VRA", "No whole-program analysis", 48% TP rate). (Task 37)
- README.md: benchmark table updated (48.4% → 61.8% TP rate, 16 → 32
  perfect CWEs, added per-file detection rate 42.6%).
- docs/sqc.1: man page version 0.3.61 → 0.3.87.
- docs/cli-usage.rst: prescan collection list expanded from 4 to 9 items
  (added header prototypes, call graph, call-site arg states, struct field
  types, global constants, global null states).done2026-04-20T16:58:09Z2026-04-07T00:00:00Z2026-04-07T00:00:00Z
����#c
+�555Release v0.3.93### Changed

- INT30-C: drop the dedicated `malloc()` / `realloc()` multiplication
  overflow check. The inner `*` expression is already covered by the
  generic `check_multiplication` walker (which correctly skips under
  VRA / constant-folding / SIZE_MAX-guard conditions), so the
  allocation-level check only produced duplicate diagnostics on every
  hit and occasional false positives on good-path cases where the
  inner check had proved the multiplication safe (e.g. Juliet
  `malloc(data * sizeof(int))` with `data = 20`). Calloc's dedicated
  check remains — its multiplication is implicit and not visible to
  the binary-expression walk.
- INT30-C: removed now-dead `flag_allocation_overflow` and
  `contains_multiplication` helpers.

### Benchmark

- Follow-up to v0.3.92: the v0.3.92 get_function_arguments fix
  restored the previously-broken malloc/realloc check, adding 525
  duplicate diagnostics on CWE-680 (TP +207, FP +318, TP rate
  −4.7pp). Deduplicating the check brings CWE-680 back to baseline
  while preserving the v0.3.92 embedded FP reductions and the
  calloc-wrapper / message-cleanup improvements.
- Juliet v0.3.93 vs v0.3.91 (baseline): zero delta across all 74
  CWEs — TP 25354, FP 15768, TP rate 61.7%, unchanged. The v0.3.92
  CWE-680 regression is fully reversed.
- Real-world v0.3.93 vs v0.3.91: **−187 INT30-C violations** across
  four codebases (hostap's pre-existing stack overflow unrelated).
    curl:      -106 INT30-C
    mosquitto:  -44 INT30-C
    sqlite:     -37 INT30-C, -1 FIO05-C
    libcrc:       0
  Total: -188 violations overall. Closes task 60.done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z�cb
+�555Release v0.3.92### Changed

- INT30-C: three targeted FP reductions on embedded codebases:
  1. Skip plain `++`/`--` of a wide-unsigned struct/union field
     (`ctx->tick++`, `obj.seq--`). Monotonic counter fields wrap at 2^32
     or 2^64 — practically never in real systems. Juliet CWE-190/191
     only exercises local-variable increments, so TP detection is
     preserved.
  2. Skip the calloc overflow warning when both `calloc` arguments are
     function parameters of the enclosing function (thin-wrapper
     pattern). Overflow detection is delegated to C11 calloc itself
     (§7.22.3.2).
  3. Extend subtraction guard detection to preceding
     early-exit `if` siblings. `if (a < b) return; /* ... a - b */`
     places the subtraction on an implicit else-path where `a >= b`.
- INT30-C: `get_function_arguments` now iterates named children of the
  argument list instead of all children. Previously it returned
  punctuation tokens (`(`) as the first "argument", which silently
  suppressed `malloc`/`realloc` multiplication overflow detection and
  produced malformed `calloc((, nmemb)` messages. Added missing
  `SIZE_MAX / size` guard recognition for `malloc` and `realloc`
  (calloc already had it) so the fix does not regress pass tests.
- INT30-C: `has_function_context_check` falls back to the translation
  unit when the call has no containing function, so top-level wiki-
  snippet tests continue to recognize overflow guards.

### Benchmark

- Targets task 60 follow-up: embedded FPs identified after v0.3.88
  library benchmark. On the 4 target embedded codebases (suppressions
  stripped for measurement):
    d_lib_common:          1 → 0 INT30-C FPs
    d_lib_serial_leds:    12 → 8 INT30-C FPs (−3 tick increments,
                                             −1 implicit-else guard)
    d_lib_airpath:         2 → 2 (unchanged — bounded-shift compound
                                 addition, out of scope)
  All 3319 existing tests still pass; new
  `testcases_embedded_patterns.c` pass test covers the three new
  patterns.done2026-04-20T16:58:09Z2026-04-17T00:00:00Z2026-04-17T00:00:00Z
A�A�	e
+�k555Release v0.3.98### Changed

- EXP02-C: extend guard-pattern recognition beyond null-checks. Any
  comparison (`==`, `!=`, `<`, `>`, `<=`, `>=`) on the LHS of `&&` or
  `||`, or a compound `&&`/`||` chain whose leaves are comparisons,
  is now treated as a short-circuit guard. The RHS is still required
  to be mutation-free (no `=`, `+=`, `++`, `--`) so patterns like
  `file_size > 0 && buflen >= file_size && fseek(...)` and
  `arr->len == arr->cap && !growCapacity(arr)` are no longer flagged,
  while `p || (p = malloc(...))` and `a > 0 && ++count > 10` still
  trigger. Closes task 64.
- INT32-C: skip `sizeof(...)` arguments to `memcpy` / `memmove` /
  `memset` size positions. `sizeof(*ctx)` always yields `size_t` and
  has no signed overflow risk, but the text-based `contains_arithmetic`
  helper false-matched the `*` inside the sizeof. Closes task 66 item 1.

### Benchmark

- Juliet v0.3.97 → v0.3.98: **zero delta** across all 74 CWEs —
  TP 24,622, FP 14,226, TP rate 63.4% (unchanged). The EXP02-C guard
  extension and INT32-C sizeof skip target real-world idioms (sizeof
  in memset, compound comparison chains, equality-plus-call patterns)
  that Juliet does not exercise.
- Real-world v0.3.93 → v0.3.98: **−343 violations** (spans v0.3.94-
  0.3.98 work combined). INT32-C −239 is almost entirely v0.3.98's
  sizeof fix (v0.3.94-0.3.97 did not touch INT32-C); API00-C −111
  and INT31-C −2 come from tasks 68/69/62C. Per-project INT32-C
  deltas: sqlite −169, curl −67, mosquitto −3. MSC04-C +8 minor
  regression carried over from the v0.3.94-0.3.97 range.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z�0d
+�9555Release v0.3.97### Changed

- API00-C: suppress `void *` / `const void *` parameters that are never
  dereferenced locally and only pass through to null-accepting stdlib
  sinks (free/realloc/cfree/Memory_Free/Memory_Realloc) or callees
  whose summary validates the argument. NULL is a valid value for
  generic-container slot parameters (e.g., `ArrayList_Append(self,
  void *item)`).

### Benchmark

- Juliet v0.3.96 → v0.3.97: TP 24,628→24,622 (-6), FP 14,238→14,226
  (-12). API00-C was the only affected rule (2.0:1 FP:TP ratio).
  CWE-476 (null deref) TP rate 58.9% → 59.6% (+0.7pp). Overall TP
  rate unchanged at 63.4%. Zero other-rule regressions.
- Real-world d_lib_common: API00-C 1 → 0 FP with
  suppressions stripped.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z
�����3h
-�=555Release v0.3.101### Changed

- ENV33-C: walk the reverse call graph transitively in
  `callers_are_all_clean`. v0.3.100 only checked direct callers, which
  lost TPs on Juliet CWE-78 variants 52c/53d/54e where intermediate
  forwarding sinks are clean pass-throughs but a grand-caller holds the
  recv/fgets. BFS-style walk with a visited set guards against cycles.

### Benchmark

- Juliet v0.3.99 → v0.3.101: TP 24,590 → 24,478 (−112), FP 14,082 →
  13,632 (**−450**), TP rate 63.6% → **64.2%** (+0.6pp). ENV33-C is
  the only affected rule: TP 1550 → 1438, FP 500 → **50** — a
  **4.02:1 FP:TP ratio**, matching the PLAN.md task 49 projection for
  CWE-78 helper-sink suppression. CWE-78 TP rate 76.6% → **87.7%**
  (+11.1pp). Zero other-CWE regressions. The remaining 50 ENV33-C FPs
  are all v65b function-pointer variants where the call graph has no
  edge for `funcPtr(data)` — future work requires function-pointer
  call-graph edges (same limitation noted in task 49A).done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z�g
-�555Release v0.3.100### Changed

- ENV33-C: replace blanket "pointer parameter → flag" suppression
  with caller-aware lookup. When the containing function has
  pointer/string parameters and no direct taint-source call in its
  body, defer to the reverse call graph: suppress only when every
  caller's prescan summary shows both `has_env03_taint_source` and
  `returns_tainted` are false. Unknown callers stay flagging.
  Mirrors the ENV03-C task 68 pattern.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z�f
+�555Release v0.3.99### Changed

- FunctionSummary: new `returns_tainted` bit and
  `returns_from_callees` set. Seeded in prescan from
  `has_env03_taint_source` on non-void returns, then propagated to
  fixpoint via a new `propagate_return_taint` pass so wrapper chains
  (`char *wrap() { return readIt(); }`) inherit a callee's taint bit.
  Same-named static merging ORs the new bits (mirrors the existing
  `has_env03_taint_source` merge).
- ENV03-C: extend `rhs_is_safe` with a `call_expression` arm. A
  `data = helper(...)` assignment is now treated as safe when
  `helper`'s summary is known and has neither
  `has_env03_taint_source` nor `returns_tainted`. Unknown callees stay
  conservative. Suppresses Juliet CWE-78 v42-style goodG2B(Source)
  patterns while still flagging the corresponding `data =
  badSource(...)` bad paths (badSource contains `recv`).
- INT31-C: `call_rhs_has_taint_source` now recognises callees whose
  summary has `returns_tainted` set. Catches transitive wrappers
  without requiring a direct taint-source call in the immediate
  callee's body.

### Benchmark

- Juliet v0.3.98 → v0.3.99: TP 24,622→24,590 (−32), FP 14,226→14,082
  (**−144**), TP rate 63.4% → **63.6%** (+0.2pp). ENV03-C is the only
  affected rule: TP 652→620, FP 468→**324** — a **4.5:1 FP:TP
  ratio**, the cleanest ratio for ENV03-C since task 67 (v0.3.94's
  4.1:1). CWE-78 TP rate 74.1% → **76.6%** (+2.5pp). CWE-426 side
  benefit: FP 188→164 (−24, 1:1 with TP drop). Zero other-rule
  regressions. INT31-C was neutral on Juliet — the transitive-wrapper
  pattern exists in real-world code but not in the Juliet v42 CWE-194/
  195 templates, which use direct taint-source calls inside their
  `badSource` helpers.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z
RkR�j
-�555Release v0.3.103### Changed

- STR02-C: port the ENV03-C / ENV33-C caller-aware suppression template.
  When `system()` / `popen()` is called with a function parameter that's
  only tainted by the default "params are untrusted" rule — i.e. the
  enclosing body contains no direct taint-source call — walk the reverse
  call graph and suppress iff every transitive caller's summary shows
  `has_env03_taint_source` and `returns_tainted` both false. BFS with a
  visited set, matching the ENV33-C pattern that handles Juliet's
  variant 52c/53d/54e multi-level forwarding chains. New fields
  `function_summaries` + `callers` on `Str02C` populated from
  `ProjectContext.call_graph` in `set_project_context`.

### Benchmark

- Juliet v0.3.102 → v0.3.103: TP 24,542 → 24,518 (−24), FP 13,498 →
  **13,358** (−140), TP rate 64.5% → **64.7%** (+0.2pp). Zero
  other-CWE regressions; every non-CWE-78 cell in the delta report is
  exactly zero.
  - CWE-78 TP rate 90.3% → **94.8%** (+4.5pp). STR02-C FP 140 → **0**,
    TP 560 → 536 (−24). **5.83:1 FP:TP ratio** — best ratio so far in
    the CWE-78 taint-aware series (prior bests: 4.5:1 at task 49A, 4.1:1
    at task 67). STR02-C now contributes zero FPs to CWE-78; all 140
    remaining CWE-78 FPs are on ENV03-C (v42-style return-tainted
    helpers and v45 global-static pointer reads).
  - CWE-78 TP rate (94.8%) now exceeds clang-tidy's 91.6% shared-CWE
    average — CWE-78 is no longer a competitor-parity gap.
- Real-world (curl / sqlite / mosquitto / libcrc / hostap): not rerun.
  The change reuses existing `FunctionSummary` fields (no new summary
  bits, no schema change), so real-world behaviour matches v0.3.102
  which had zero delta from v0.3.98.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z�i
-�{555Release v0.3.102### Changed

- prescan (`collect_callees`): resolve function-pointer aliases when
  building the call graph. The function body is now walked twice — the
  first pass captures `void (*fp)(char *) = target;` init declarators
  and `fp = target;` rebinds into a local alias map, the second pass
  emits callees with aliased identifiers rewritten to the target
  function. Juliet v65a/b sinks now surface a real caller edge instead
  of a dangling `funcPtr` entry.
- prescan (`has_env03_taint_source`): also match per-file macro aliases
  whose target is in `ENV03_TAINT_SOURCE_FUNCTIONS`. Juliet's
  `#define GETENV getenv` wrappers now correctly poison the caller's
  summary, so ENV03-C / ENV33-C / INT31-C caller-aware suppression
  treats `GETENV(ENV_VARIABLE)` as a real taint source.
- `function_summary::compute_summaries` gains a `taint_source_aliases`
  parameter plumbed through `analyze_function` and
  `collect_function_summaries`. Per-file alias collection in prescan
  (and header resolution) pre-filters aliases to those resolving to a
  taint source before calling summarize.

### Benchmark

- Juliet v0.3.101 → v0.3.102: TP 24,478 → **24,542** (+64), FP 13,632
  → **13,498** (−134), TP rate 64.2% → **64.5%** (+0.3pp). Zero
  other-CWE regressions.
  - CWE-78 TP rate 87.7% → **90.3%** (+2.6pp). ENV33-C FP 50 → **0**,
    TP 1438 → 1514 (+76). ENV03-C FP 324 → 300 (−24), TP 620 → 628
    (+8). 50 FP → 0 for variant 65b, plus +76 TPs recovered in other
    helper-sink variants where the bad caller used a macro-wrapped
    taint source (GETENV, FGETS, etc.) previously missed by the text
    scan.
  - CWE-194 TP rate 67.9% → **69.4%** (+1.5pp), FP −30, TP −10.
  - CWE-195 TP rate 51.9% → **52.5%** (+0.6pp), FP −30, TP −10.
  - INT31-C: FP 1452 → 1392 (−60), TP 2142 → 2122 (−20). 3:1 ratio.
- Real-world v0.3.98 → v0.3.102 (curl, sqlite, mosquitto, libcrc,
  hostap): zero delta. Change is Juliet-specific — these codebases
  don't use Juliet's function-pointer-across-files pattern or macro
  aliases that resolve to taint sources.done2026-04-20T16:58:09Z2026-04-19T00:00:00Z2026-04-19T00:00:00Z
[��[�Rn
o�955549G: ENV03-C v34 union-field-alias FP suppressionEliminated ~20 ENV03-C v34 FPs (OMITGOOD union-alias pattern). walk_for_taint case-insensitive for UPPERCASE macro aliases (GETENV->getenv). rhs_is_safe + walk_pointer_aliases handle dot field_expression. v0.3.107.done2026-04-22T19:22:42Z2026-04-22T19:22:51Z2026-04-22T19:22:51Z�Rm
o�955549G: ENV03-C v34 union-field-alias FP suppressionEliminated ~20 ENV03-C v34 FPs (OMITGOOD union-alias pattern). walk_for_taint case-insensitive for UPPERCASE macro aliases (GETENV->getenv). rhs_is_safe + walk_pointer_aliases handle dot field_expression. v0.3.107.done2026-04-22T19:22:38Z2026-04-23T15:04:45Z2026-04-23T15:04:45Z�-l
w�g55549E: ENV03-C v45 global-static pointer write trackingLast remaining major CWE-78 FP contributor (~140 FPs). Juliet v45 pattern: static global pointer is written in function A (good path: clean data) and read in function B (goodG2BSink pattern) before SYSTEM(data). Currently FPs because char *data = g_static is seen as untrusted identifier init. Fix: prescan collects writers of file-scope static variables, ENV03-C seeds clean globals (all writers have has_env03_taint_source=false AND returns_tainted=false) into safe_sources. Symmetric to caller-aware taint check but inverted (writers instead of callers).done2026-04-20T17:24:37Z2026-04-20T17:25:17Z2026-04-20T18:17:29Z�Hk
-�g555Release v0.3.104### Changed

- ENV03-C: extend caller-aware suppression to local command variables
  derived from a function parameter. When the `system()` / `popen()`
  argument is a local like `char *data = *dataPtr` (variant 63),
  `char *data = dataArray[2]` (variant 66), `char *data =
  myStruct.structFirst` (variant 67), or a chain through a cast such as
  `char **dataPtr = (char **)dataVoidPtr; char *data = *dataPtr;`
  (variant 64), walk writes to the command var and — if every write is
  derived via deref / subscript / field / cast from a function
  parameter (possibly through other parameter-derived locals) —
  reuse `callers_are_all_clean`. Suppress iff every caller's summary
  has `has_env03_taint_source` false. New helper
  `is_command_var_parameter_derived` + write-collection fixpoint.
- `function_summary::ENV03_TAINT_SOURCE_FUNCTIONS` and the matching
  scope-local list in `env03_c` now cover wide-character and Windows
  input equivalents: `fgetws`, `getwchar`, `getwc`, `fgetwc`,
  `wscanf`/`fwscanf`/`swscanf`/`vwscanf`/`vfwscanf`, `_getws`,
  `_getws_s`, `_wgetenv`, `_wgetenv_s`. Juliet's
  `wchar_t_console_*` / `wchar_t_file_*` variants read via `fgetws`;
  with these absent, the bad-path caller's summary was (incorrectly)
  clean and the new parameter-derived fix was over-suppressing the
  wchar_t bad-sink TPs. Mirrors the narrow-char coverage.

### Benchmark

- Juliet CWE-78 (single-rule ENV03-C measurement, prescan enabled):
  - Pre-change: 660 violations (520 TP / 140 FP, 78.8% TP rate).
  - Post-change: 680 violations (620 TP / 60 FP, **91.2% TP rate**).
  - FP −80, TP +100 — **0.8:1 FP:TP ratio** (net gain of TPs
    exceeds FPs eliminated). Both axes move in the right direction
    because the wide-char taint expansion recovers bad-path TPs that
    were previously silently suppressed by the clean-caller check.
  - Variant-level: v63/v64/v66/v67 FPs go to 0 each (80 FPs cleared);
    wchar_t bad-sink TPs (variants v01-v18, v21-v68) recover 4 each
    across ~25 variants.
  - Remaining 60 ENV03-C CWE-78 FPs: v34 (union field access, 20),
    v45 (static global pointer read, 20), v68 (extern global pointer
    read cross-file, 20). These need type-aware field analysis or
    global-write tracking, out of scope here.
- Full Juliet + real-world rerun deferred (changes reuse existing
  `FunctionSummary` fields; wide-char taint additions affect ENV33-C /
  INT31-C / STR02-C identically to ENV03-C but those are all
  conservative additions — a missing source was letting taint through).done2026-04-20T16:58:09Z2026-04-20T00:00:00Z2026-04-20T00:00:00Z
q�
a�+q�7s�-�C555INT32-C + INT10-C: gate sign-safety rules on operand signedness (unsigned types)INT32-C fires on unsigned int/u32/u16 operands (27 violations in e_bms_primcu3124_scud) — signed overflow rule should not fire on unsigned types. INT10-C fires on u16 modulo (16 violations) for the same reason: % on unsigned always yields non-negative. Same root cause: checkers do not verify operand signedness before firing. Also INT32-C fires on pointer arithmetic expressions (e.g. AFE_INT_EN+4) — need to gate on non-pointer integer types too. Fix: before firing either rule, confirm LHS operand resolves to a signed integer type.done2026-04-30T15:41:33Z2026-04-30T15:55:48Z2026-04-30T16:08:01Z� r��%555INT31-C FP reduction: conditional-branch goodG2B pattern (v08-v17, v6xb)Investigation of INT31-C remaining FPs in CWE-195 (690 FP) and CWE-194 (330 FP).

## Summary
Total INT31-C FPs: 1,248 (CWE-195: 690, CWE-194: 330, rest from other CWEs).
Callsite constant arg propagation (v0.3.115) did NOT help INT31-C — those goodG2B
cases were already handled by prior suppression (within-function VRA or taint-free).

## Top FP Variants (CWE-195 s01, local repro)
- v08: 34 FPs — staticReturnsFalse/staticReturnsTrue conditional branch
- v09: 28 FPs
- v10: 28 FPs
- v13: 24 FPs
- v11: 20 FPs, v14: 18 FPs, v17: 17 FPs, v45: 15 FPs
- v63b/v64b/v66b/v68b: 8-10 FPs each (void-ptr helper sink)

## v08 Pattern (most common)
  static void goodG2B1() {
      int data = -1;
      if (staticReturnsFalse()) { /* dead */ }
      else { data = 100-1; }   // data=99
      if (data < 100) {
          malloc(data);    // INT31-C fires here (FP)
          memset(buf, x, data-1);  // also fires
      }
  }

## Analysis
- Standalone file (no prescan): CLEAN — suppression works
- With full CWE-195 prescan (-d CWE195 dir): FPs fire on lines 161,164,187,190
- Suppression path: is_inside_upper_bound_guard() && var_is_taint_free()
  - upper_bound_guard: 'data < 100' should return true
  - var_is_taint_free: goodG2B1 has no taint source, data not from tainted call
  - Standalone: both true → suppress. With prescan: something breaks.
- SUSPECT: prescan cross-contamination. Multiple static goodG2B1 definitions
  OR-merged; if any has has_env03_taint_source=true, var_is_taint_free returns false.
  But checked: all goodG2B1 functions in CWE-195 use constant sources.
- NEXT: inspect why the prescan run breaks suppression. Add debug trace or
  check if find_enclosing_function fails (returns None → var_is_taint_free=false).
  Check lines 140-170 of connect_socket_malloc_08.c for exact context.
  Also check if 'data' missing from var_types when 'int data;' declared without init.

## Files
- src/rules/cert_c/INT/INT31-C/int31_c.rs: var_is_taint_free(), is_inside_upper_bound_guard()
- Juliet: ~/data/benchmarks/.../CWE195.../s01/*_08.cdone2026-04-30T11:20:20Z2026-04-30T11:20:35Z2026-04-30T15:55:45Z�q
�555Update task 18 investigation notes: MEM30-C item #8 fixed in v0.3.114done2026-04-28T18:59:56Z2026-04-28T19:00:02Z2026-04-28T19:00:02Z�5p
}�q55550G: ENV03-C uppercase macro constant safe strcpy sourcestrcpy/strcat second-arg check now accepts ALL_CAPS identifiers as compile-time macro constants. Eliminates 136 CWE-426 FPs (GOOD_OS_COMMAND pattern) + 84 spurious TPs. v0.3.109.done2026-04-23T17:44:45Z2026-04-23T17:44:52Z2026-04-23T17:44:52Z�do
M�555ENV03-C v68 extern global FP fixEliminate ~20 FPs in CWE-78 from Juliet v68 pattern (extern global pointer cross-file data flow). Fixed collect_static_pointer_globals to also track non-static extern-linkage pointer globals. With -d flag, goodG2BSink correctly suppressed. v0.3.108.done2026-04-23T13:56:29Z2026-04-23T13:56:40Z2026-04-23T13:56:40Z
�
�J�
���Vz�A�m555PRE10-C: recognize do-while(0) wrapper spanning multiple lines with backslash continuation1 FP in e_bms_primcu3124_scud — IO_F_mcu_pwm macro (bms.h:211) correctly wrapped in do{...}while(0) but sqc flags it as unwrapped. The do-while spans multiple lines using backslash continuation. Fix: parse multi-line macro body with backslash continuations before checking for do-while wrapper pattern.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�qy��K555FLP00-C: only fire on floating-point operands, not integer comparisons1 FP in e_bms_primcu3124_scud — if(da == 0xff) at comm.c:676 flagged as float equality. da is declared u8. Fix: FLP00-C should only fire when at least one operand of == is a floating-point type (float/double/long double).done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�|x��e555MSC37-C: recognize post-loop unconditional return as valid exit path1 FP in e_bms_primcu3124_scud — cell_temp_interpolate() (comm.c:89) has unconditional return after for-loop (out-of-range case). sqc appears to miss post-loop return when loop body contains early return — may be treating post-loop code as unreachable. Fix: code after a for/while loop is reachable when loop condition is not guaranteed true on every iteration.done2026-04-30T15:41:49Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�-w��K555MEM05-C: verify actual call cycle exists before flagging recursion1 FP in e_bms_primcu3124_scud — SendDataLogging() (comm.c:225) flagged as recursive. It calls get_bms_data_log(), Cal_Crc(), SendData_IF() — none call back into SendDataLogging. Fix: confirm a call chain from the flagged function back to itself actually exists before firing MEM05-C.done2026-04-30T15:41:49Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�
v�O�5EXP33-C + ARR00-C: cross-function output-buffer fill pattern (non-const ptr + return-value guard)2 EXP33-C + 8 ARR00-C violations in e_bms_primcu3124_scud at same sites (I2C.c:398,431). ReadBuf[] passed to I2CRead() as output buffer (non-const ptr); only read inside if(ret==1) where ret is I2CRead() return value. sqc cannot track interprocedural fill. Partial fix: when array passed as non-const ptr arg and its subsequent read is guarded by the callee's return value, reduce EXP33-C confidence. Also: ARR00-C and EXP33-C fire on same sites — avoid reporting two rules on the same uninitialized-buffer pattern.pending2026-04-30T15:41:49Z�3u��I555MEM30-C: gate stack-escape check on pointer/array type of assigned global18 FPs in e_bms_primcu3124_scud — scalar integer assignments to globals (timer counters, state vars) inside HAL_ENTER_CRITICAL_SECTION blocks misidentified as stack pointer escapes. Fix: only fire MEM30-C stack-escape when the global's declared type is a pointer or array type. If global is scalar integer (u8/u16/u32/int/uint8_t etc.), do not fire. Note: currently suppressed via project config as a workaround.done2026-04-30T15:41:49Z2026-04-30T16:08:01Z2026-04-30T16:08:01Z�}t�=�?555DCL07-C + DCL31-C: follow #include chain for declarations; recognize compiler intrinsics374 duplicate violations (187 each) in e_bms_primcu3124_scud. Two sub-patterns: (A) Holtek compiler built-ins _nop()/_clrwdt() have no standard header — need configurable intrinsics list per target; (B) functions declared via extern in #included headers are still flagged because sqc does not resolve #include chains when checking for prior declarations. Also: DCL07-C and DCL31-C appear to check the same condition and fire on identical sites — consider deduplication.done2026-04-30T15:41:33Z2026-04-30T16:08:01Z2026-04-30T16:08:01Z

f�	�t,zf������#	555Every rule violation should report where and why it failedRules should include precise source location and human-readable explanation in their output. Originally P0-003 in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:18Z2026-05-19T00:48:42Z2026-05-19T01:22:21Z��
o�#	555Optimize runtime performance on real repositoriesTool is too slow for practical use on real codebases. Needs profiling and optimization pass. Originally P0-002 in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:17Z2026-05-15T13:42:31Z2026-05-18T00:26:28Z�6�
O�k5Improve test debugging experienceGenerated test names are opaque, failure output lacks source location, debug prints get overwritten on rebuild. Need better linkage between failing test name, .c file, and CERT C wiki example. Originally P1-003 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:26Z�M�
E�Y555Add mutex poisoning recoveryMultiple lock().unwrap() calls in src/progress.rs and src/rules/cert_c/integration.rs have no poisoning recovery. A thread panic while holding a lock cascades to crash the entire run. Originally P1-002 in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:24Z2026-05-07T19:31:22Z2026-05-07T19:31:22Z��
U�+5Add TOML validation to build processbuild.rs merges individual rule TOML files but does not validate the output. Syntax errors, schema violations, and malformed fields go undetected until runtime. Originally P1-001 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:22Z�E
�	555Eliminate compiler warnings (clean build generates noise)Clean build generates excessive warnings from stub rules, masking real issues. Root causes: unused imports in stub rules, missing allow attributes. Originally P0-001 in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:15Z2026-05-07T19:24:17Z2026-05-07T19:24:17Z�u~�-�?555EXP15-C: do not fire on empty loop body when condition polls a volatile variable6 FPs in e_bms_primcu3124_scud — spin-poll busy-waits like while(_txif0==0); and while(!_hircf); flagged as likely accidental empty bodies. All are intentional hardware peripheral-ready/clock-stable polls. Also: sqc message says semicolon is 'on the same line' but it is consistently on the next line in this codebase. Fix: if loop condition operand is a volatile variable or has form while(volatile_var op constant), treat empty body as intentional and suppress EXP15-C.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�T}��555PRE07-C: do not flag trigraph sequences inside // or /* */ comments2 FPs in e_bms_primcu3124_scud — sys.c:319,340 have ?- sequences inside // comments where Chinese text is garbled/truncated (变量初始??? etc.). Even if it were a real trigraph (expands to ~), trigraphs in C99+ comments have no semantic effect. Fix: skip PRE07-C when the trigraph-like sequence appears inside a comment.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�@|��c555EXP02-C: allow hardware-flag && countdown-decrement short-circuit pattern3 FPs in e_bms_primcu3124_scud — while((_iar2 & 0x04) && (--timeout)) pattern: left operand is hardware register flag check (volatile), right is bounded countdown --timeout. Short-circuit is intentional: if hw condition clears, timeout is not decremented. Same pattern documented in d_lib_common FP-016/FP-019. Fix: extend EXP02-C exemption to cover VOLATILE_FLAG_CHECK && (--counter) pattern, not just NULL_CHECK && fn_call.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z�w{�G�)555ARR39-C: do not flag sizeof-bounded loop when pointer type is u8*/uint8_t* (element size = 1)1 FP in e_bms_primcu3124_scud — sys.c:372: for(i=0;i<sizeof(bsm_data_log);i++) with (u8*)bsm_data_log.CELL_MAX+i. Pointer cast to u8* so +i advances exactly 1 byte. sizeof() and pointer step are in same unit. Fix: ARR39-C should not fire when pointer type is u8*/uint8_t* since element size is 1 byte and no scaling mismatch exists.done2026-04-30T15:42:09Z2026-04-30T20:01:38Z2026-04-30T20:01:38Z
	�/
��1	��O��<�
w�	555Disable or fix CON33-C and CON07-C (97%/87% FP rates)CON33-C has 97% FP rate (2 TP, 64 FP). CON07-C has 87% FP rate (10 TP, 64 FP). These map to CWE-377 and CWE-366 respectively. Both are near-useless in current form and undermine paper credibility. Options: (1) investigate if they can be fixed with targeted logic, (2) disable them entirely in the default TOML config. Fix or disable before paper submission. The 128 FPs from these two rules alone drop the overall FP total from 10,590 to 10,462.done2026-05-17T15:29:05Z2026-05-17T17:35:17Z2026-05-17T18:43:40Z�5�

u�{	555Add VRA suppression to ARR30-C index bounds checkingARR30-C has 1,121 FPs (38.2% rate) and does NOT use VRA at all. VRA infrastructure is mature (value_range.rs). For static arrays like int arr[10], when VRA proves the index variable's range at the access point is within [0, array_size-1], suppress the violation. This is the most direct VRA extension possible — a clean intersection of index_range ⊂ [0, N-1]. See int32_c.rs for how to call needs_vra/set_vra_results/vra_var_ranges_at.done2026-05-17T15:29:05Z2026-05-17T15:29:16Z2026-05-17T17:33:55Z�7���7	5Investigate residual INT32-C/INT31-C/INT30-C FPs despite VRAINT32-C: 1,767 FP, INT31-C: 1,248 FP, INT30-C: 933 FP — all use VRA but still high FP rates. Need to understand WHICH Juliet variants are still generating FPs with VRA enabled, and why. Use get_cwe_detail on CWE-190/CWE-191/CWE-195/CWE-194 to identify specific variant patterns. Then fix the VRA gap or add targeted suppression. Hypothesis: cross-function patterns, compound expressions (VRA tracks vars but not expressions), or switch-case guards not modeled in CFG.pending2026-05-17T15:29:05Z��
s�	5Investigate and fix STR31-C false positive patternsSTR31-C has 1,671 FPs (53.3% rate) — the single largest FP contributor. Does NOT use VRA. Uses text-pattern matching for strlen/sizeof/strncat guards. Need to: (1) run get_cwe_detail on CWE-121/CWE-122 to identify which Juliet variants are failing, (2) inspect the actual failing files to understand the pattern, (3) implement targeted fixes. VRA may not apply directly since this is about string lengths, not integer arithmetic — investigate first.pending2026-05-17T15:29:05Z��	��E5Fix wiki parser to exclude output examples from test generationWiki scraper creates test .c files from runtime output blocks (not actual C code), producing unparseable test files. Example: MSC32-C tests/fail/wiki_posix_2.c. Parser needs to distinguish code examples from output documentation. Originally P2-WIKI-PARSER in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:40Z�e�
u�Y555Automate mod.rs rule registry generation in build.rsEvery new rule requires two manual edits to src/rules/cert_c/mod.rs (pub mod declaration + registry.register call). Should be auto-generated from directory scan in build.rs. Originally P2-AUTO-REGISTRY in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:37Z2026-05-07T19:25:40Z2026-05-07T19:25:40Z�M�
�555Implement FIO30-C: Exclude user input from format stringsHigh-priority CERT C rule (P18 severity). Requires interprocedural taint analysis framework — significant architectural work, estimated 40-60 hours. Originally P1-FIO30-C in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:33Z2026-05-07T19:24:17Z2026-05-07T19:24:17Z�@�
s�555Implement EXP34-C: Do not dereference null pointersHigh-priority CERT C rule (P18 severity). Requires scope-aware control-flow analysis — significant architectural work, estimated 25-60 hours. Originally P1-EXP34-C in AGENTS/PROPOSALS/BACKLOG.done2026-05-07T18:45:32Z2026-05-07T19:24:17Z2026-05-07T19:24:17Z�M�
]�5Add folder nesting to interactive clientInteractive client should support navigating rules organized by folder/category. Originally P1-004 in AGENTS/PROPOSALS/BACKLOG.pending2026-05-07T18:45:29Z